I've been seeing a lot of wordage today about Dmitry Alperovitch's Shady Rat report, ranging from "Wow! Who knew?!" to "Nothing new here." Or, as Paul Wagenseil puts it, Don’t Believe the Hype: 'Operation Shady RAT' Is Nothing New. Well, "hype" is way too strong. There's some interesting stuff in the report. However, it's not startlingly new. I remember discussions about spearphishing attacks originating in China well before 2006, though they weren't made public.
And as Alperovitch himself says, this is just one operation.
As it happens, we (AVIEN and myself) devoted quite a lot of space to one Chinese operation, the NCPH group, in the “AVIEN Malware Defense Guide for the Enterprise” (hat tip to Ken Dunham and Jim Melnick, who contributed that section of the "Creme de la Cybercrime" chapter).
The group began to make an impression in 2006 with GinWui, RipGof etc, notably with attacks on a DoD entity et al that attracted the attention of the Internet Storm Center. But there’s evidence that they active in some form well over a year before, and Wicked Rose was moving from “patriotic hacking” to state-sponsored competitions and hacking for hire from around 2001, by his own account.
I don't, of course, know that the group alluded to by Alperovitch was operating out of China, as many have assumed. But there certainly has been such activity (NCPH seem to have had associations with Sichuan and Jiangsu provinces and ties with many other Chinese hacking groups), though I can't comment authoritatively on the involvement or non-involvement of the Chinese government or military. .
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Leave a reply