Kaspersky Lab's Alex Gostev Comments on McAfee's Shady RAT Report

04 Aug 2011

With the lack of evidence and specific data, Alex Gostev, Chief Security Expert, Kaspersky Lab, calls McAfee’s report about this being the biggest cyber attack in history premature and based only on assumptions.

Alex’s commentary below summarizes these points and specifically explains what he sees as faulty and missing from the report.

KASPERSKY LAB STATEMENT (attributable to Alex Gostev, Chief Security Expert, Kaspersky Lab):

The information presented by McAfee’s specialists would be more convincing if it answered a number of vital questions. The report only tells us that the company’s experts discovered access logs of connections with a certain web server, which at some point had been used by hackers. In their turn these logs indicate that interaction between this server and computers of large organizations were snooped on.

Based only on this information, McAfee makes two interesting assumptions: first – that a series of attacks has taken place; second – that valuable data has been stolen. However, the report contains nothing on what particular data has been stolen or how many computers in each organization were hit by the attacks. The names of the malicious programs listed in the document that are in some way related to the server in question are too general: particularly which Trojans have been used cannot be established. And as far as we are aware McAfee has not provided samples of the Trojans to other antivirus companies, as normally occurs in the industry in situations like these.

The document contains no information about who is responsible for the attack. Talk in the media about China probably being behind the attacks is all based on the opinion of a third-party expert who was briefed by McAfee. For our part we would point out that the Internet is connected to a great many servers of this type, they are used by cybercriminals, and several of them have indeed been functioning for years. However, a situation in which a complicated and large-scale corporate espionage operation has alleged to have been undertaken for years but whose sophisticated organizers do not clean up their server access logs after them - this is something that can certainly be described as unusual.

Over the last several years cyberspace has changed remarkably - and only for the worse. The number of attacks, including those using malware, has risen almost ten-fold. Cybercrime these days is not only made up of traditional attacks on users; increasingly frequently it is taking the form of attacks on large corporations and financial and governmental institutions. And just how vulnerable large corporations are has recently been demonstrated by the Anonymous and LulzSec groups. Incidents involving infected corporations and state institutions now occur all the time. And with every such infection, affected computers of course connect with this or that Internet resource. To deem every such connection part of a planned attack and resultant data loss represents too superficial and unrealistic a standpoint on the issue.

Until the information in the McAfee report is backed up by evidence, to talk about the biggest cyberattack in history is premature. Until then, we will consider it an original way of approaching the start of the annual Black Hat conference in Las Vegas (news of the report appeared hours before the opening), which is one of the most important events of the year in the world of IT security.