Aug. 5, 2011 at 7:14 PM ET
Whether it's spite, semantics or something lacking in the research, some of McAfee's competitors are challenging the company's findings about "Operation Shady RAT," the worldwide series of cyber attacks disclosed by McAfee earlier this week that could be the biggest series of cyber attacks to date.
Both Symantec, maker of Norton Anti-Virus, and Kaspersky Lab, another security software maker, are questioning McAfee's report, which says Operation Shady RAT targeted 72 organizations including the United Nations, governments and companies around the world. The United States was the main focus of the attacks, which were aimed at stealing intellectual property, such as ideas, strategies and plans, rather than financial data, McAfee said.
"While this attack is indeed significant, it is one of many similar attacks taking place daily," wrote Hon Lau of Symantec, in a piece called "The Truth Behind the Shady RAT" on the company's blog.
"Even as we speak, there are other malware groups targeting many other organizations in a similar manner in order to gain entry and pilfer secrets," he wrote. "Is the attack described in Operation Shady RAT a truly advanced persistent threat? I would contend that it isn’t, especially when you consider the errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case."
Symantec analyzed and shared on its blog what it believes were the three stages of the attacks, including the use of email and Trojans (hidden malware).
Alex Gostev, Kaspersky Lab's chief security expert, said the contention that Operation Shady Rat is the biggest cyber attack in history is "premature," and is not backed up by evidence.
"The information presented by McAfee’s specialists would be more convincing if it answered a number of vital questions," Gostev wrote in a commentary emailed to media organizations.
"The report only tells us that the company’s experts discovered access logs of connections with a certain Web server, which at some point had been used by hackers," he said in the email. "In their turn these logs indicate that interaction between this server and computers of large organizations were snooped on."
The Kaspersky email continued:
Based only on this information, McAfee makes two interesting assumptions: first — that a series of attacks has taken place; second — that valuable data has been stolen ... However, the report contains nothing on what particular data has been stolen or how many computers in each organization were hit by the attacks. The names of the malicious programs listed in the document that are in some way related to the server in question are too general: particularly which Trojans have been used cannot be established. And as far as we are aware McAfee has not provided samples of the Trojans to other antivirus companies, as normally occurs in the industry in situations like these.
Gostev also took McAfee to task for not saying "who is responsible for the attack." McAfee said it believes there was one "state actor" behind the effort, but declined to name it. Some security experts have suggested China, but the government-run People's Daily there said Friday it was "irresponsible" to link China with the attacks.
"We would point out that the Internet is connected to a great many servers of this type, they are used by cybercriminals, and several of them have indeed been functioning for years," Gostev wrote. "However, a situation in which a complicated and large-scale corporate espionage operation has alleged to have been undertaken for years but whose sophisticated organizers do not clean up their server access logs after them — this is something that can certainly be described as unusual."
McAfee, asked for comments about the criticisms Friday, had little to say.
A company spokesperson said McAfee has "good reasons not to provide more in-depth detail behind Shady RAT" right now because of an ongoing "law enforcement investigation."
The earliest breaches date back to mid-2006, the company said in its report, though there might have been other intrusions as yet undetected. (RAT stands for "remote access tool" — it's a type of software that is used to access computer networks from afar).
"This is a problem of massive scale that affects nearly every industry and sector of the economies of numerous countries, and the only organizations that are exempt from this threat are those that don’t have anything valuable or interesting worth stealing," wrote McAfee's vice president of threat research, Dmitri Alperovitch, in the report.