Page 44 - index
P. 44
The Year of the Rat:
How Technologies Incubated Nearly a Decade Ago Now Shape the
World We Live In
The quantity and delicate nature of the records stolen from the Office of Personnel Management
(OPM), make it the most meaningful breach of the year. For me, this story hit close to home for
a couple of reasons. Having the benefit of inside sources, I was quoted by the media days after
the attack, stating that the Chinese-made PlugX RAT (remote access terminal malware) was
involved. Upon researching the history of this Trojan, I was shocked to see its author’s career
timeline exactly paralleled mine.
As a software R&D guy, I know that an idea on a whiteboard can take years before the code is
not only written, but the product adopted, and used enough to appear in the news. So I react
differently to news stories such as those about the OPM hack. While others consider the
present and future implications, I often ponder the technology’s incubation period stretching
back years prior.
TrendMicro first discovered the PlugX RAT in 2008 and attributed it to Chinese syndicates.
Coincidentally, this was also the Year of the Rat in the Chinese zodiac. The Year of the Rat is
not all about PlugX; the first advanced persistent threats (APTs) were also being enhanced
during this period. The work performed by these noteworthy malware authors was presumably
fueled by an increase in Chinese state funding.
Having some feel for the lifecycle of software, I presume PlugX’s authors were developing this
malicious code in 2007. Coincidentally I mirrored my black hat doppelganger that year. I had
just been recruited into Guidance Software to work on the industry’s first incident response (IR)
product. Today analysts project the IR market to grow to $14 billion by 2017, but nine years ago,
the product we originally named Automated Incident Response (AIR) attracted wisecracks that
we were selling thin “air.”
Given that they prefer to labor in anonymity, our black hat counterparts surely avoid these
challenges. Relieved of the burden of educating risk-averse decision makers, or of battling for
inclusion in customer budgets, my agile counterparts simply handed PlugX to sophisticated bad
actors who branded cyberspace with their accomplishment.
As my years in R&D have marched on, I’ve spent much time contemplating the natural
advantages held by my dark side counterparts. While the detection and response industry
broadcasts its every innovation from the mountain tops, black hats work under the cover of
darkness. The security industry is probably doing a better job of sharing threat intelligence, but
we’re also sharing with the enemy.
An increase in industry spending has brought many talented software developers into the
employ of detection and response security vendors. That said, one only needs to peer into a
44 Cyber Warnings E-Magazine – August 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
