Platt Perspective on Business and Technology

The China Conundrum and its implications for international cyber-security – 13

Posted in business and convergent technologies by Timothy Platt on September 9, 2011

This is my 13th installment in an occasional if open-ended series on international cyber-security that focuses on China. And I begin it by noting a dichotomy of interest. A great deal of public attention and concern is focused on the public-facing and generally overtly motivated hacktivist (and see also hacktivism) exploits of groups such as Anonymous and Lulz Security (LulzSec). They in fact fairly actively seek out publicity and carry out their computer systems compromise and intrusion activities to make political statements. Much less attention is placed on longer term, more technically sophisticated cyber-intrusion programs that seek to covertly mine private and public sector organizations for confidential information, and frequently for months and for even years at a time. These more systematic and covert initiatives, bearing names like Operation Aurora and Night Dragon from when identified, systematically compromise more organizations, more confidential and sensitive information and do far more damage. But while they do receive mention in the general-public press, they receive much less attention and are quickly forgotten for the most part except by those in cybersecurity and related fields.

I write this posting in follow-up to yet another unveiling of what appears to be a significantly scaled, long term breach of governmental and private sector computer systems – Operation Shady RAT. Here, RAT is an acronym for Remote Access Tool and this operation was first publically revealed by Dmitri Alperovitch, the Vice President of Threat Research at the internet security company McAfee (see their August 2011 white paper on this.)

The presumption with some evidence to support it is that Shady RAT is/was a real single operation, organized and launched by a state organization as many of the organizations specifically targeted for security breach through it would provide information that would be of value to governments but that would not carry significant value for competition in the commercial marketplace. This same presumption, at least when the initial McAfee report was reviewed and commented upon by others, would tag China as the most probable source of Shady RAT. That conclusion has been based on the selection of targets that McAfee was able to identify from log files found when it hacked into a Shady RAT command and control server, in identifying and analyzing this cyber-security threat.

Some security experts argue the case that Shady RAT was not in fact a single highly organized government sponsored cyber-spying operation and I will add that the same types of doubt have been raised as to several previously identified operations (e.g. Night Dragon) too.

A point I have seen raised numerous times in discussion and debate over this newer Operation Shady RAT that I am sure will keep coming up as new covert cyber-intrusion operations are identified, is that any and every organization – governmental, for profit, private sector, nonprofit or non-governmental organization (NGO) of any significance and at least potentially holding any valuable proprietary information is, or at least will become a target for cyber-security attack.

Over 70 organizations, globally distributed have been identified from those command and control server log files as having been compromised by Operation Shady RAT and with more indicated even if those specific organizations cannot as readily be identified from the log records. But organizations that have been identified span as diverse a range as defense contractors and Olympic organizing committees. So on the face of things at least, this looks to be a very significant long term assault with very wide-ranging and ambitious information gathering objectives. But this posting is not simply about Shady RAT or any of its specific relatives. I add that while I have posted this in my China Conundrum series (see Ubiquitous Computing and Communications – everywhere all the time, postings 69 and scattered following) my focus here is not on China’s actual role in this either, though I admit they do at least appear to be a likely candidate for this.

• If there is a single point of focus here that I would seek to drive home as a take away lesson, it is that every organization that in any way holds confidential, sensitive or proprietary information on its computers and computer systems, needs to begin thinking and acting as if others were seeking to breach their security to capture this from them.

I note here that Operation Shady RAT, operationally began its computer systems exploits on target organizations via spear phishing attacks – email based attacks that were sent out targeting specific individuals with messages designed to entice them into clicking links that would lead to their computers being compromised as doorways into their organization’s systems. So this calls for a much more through standard of cyber-security practice at the IT department level, but it also calls for a much more through and comprehensive standard of practice in training and educating members of the organization’s staff.

As a final thought here, I pointed out in earlier postings that SCADA systems are in all likelihood going to become crucial targets for potential cyber-attack (see, for example Stuxnet, Cyber Warfare and the Challenge of the Intelligent Infrastructure and following entries in that series, as posted in Ubiquitous Computing and Communications – everywhere all the time.) Capturing sensitive SCADA configuration data was one of the target objectives identified by McAfee as it analyzed command and control server log file data obtained from its study of Operation Shady RAT. New types of data and knowledge assembled from it are becoming increasingly important to protect, just as new potential avenues for surreptitiously accessing it arise. This is an area of due diligence and risk remediation that has to be continually reviewed and updated, and both for identifying potential targets and for identifying and addressing ways that these resources could be exploited.

I am sure to come back to the issues touched upon here in this posting, in future blog entries. You can find postings related to cyber-security at Ubiquitous Computing and Communications – everywhere all the time and also at Business Strategy and Operations.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: