Hackers believed to have originated in China compromised at least five multinational oil and energy companies in “coordinated covert and targeted” cyberattacks, according to a report by cybersecurity firm McAfee.
The network intrusions, which have been dubbed “Night Dragon” by McAfee, are believed to have begun in November 2009. The espionage campaign was designed to compromise competitive proprietary operations and sensitive financial information, and it targeted email archives and and oil and gas field bids and operations, according to the “Global Energy Cyberattacks: ‘Night Dragon'” report released Feb 10.
“This is a breed of attackers that are interested in industrial or national-security espionage,” said Dmitri Alperovitch, vice president of threat research at McAfee Labs. “Their primary characteristic and differentiator from cybercriminals is that they are persistent. Like a dog with a bone, they just don’t let go of their victim.”
The report states the attacks are continuing.
‘Industrial Espionage by Computer’
Operating from a base apparently in Beijing, the intruders established control servers in the United States and Netherlands to break into computers in Kazakhstan, Taiwan, Greece, and the United States, according to the report.
The hackers used multiple techniques to launch their attacks, including spear-phishing, social engineering, Windows exploits, directory compromises, and the use of remote administration tools.
“As McAfee notes, the attack techniques in Night Dragon are old—[about] a decade old—and industrial espionage via computer networks is also well-known,” said Chris Palmer, technology director for the Electronic Frontier Foundation.
This is good news for those tasked with detecting and preventing attacks, Palmer said. “The attacks have used mostly old and well-understood attack techniques.”
For example, Palmer says there are good defenses against the spear-phishing technique used in the Night Dragon attacks. Spear-phishing refers to attempts to retrieve usernames, passwords, and other sensitive information through emails that appear to come from a trusted source.
Palmer noted spear-phishing is likely to work well for a long time.
“Confusing people and impersonating their friends works very well on the Internet, unfortunately,” Palmer said of spear-phishing.
‘Detecting Infiltration Activity’
Palmer warned, “Defense techniques only work if software engineers are motivated or required to use them. We had a brief period of forward momentum on security engineering from about 2004 through 2009, but I fear we are losing that momentum.”
Despite Palmer’s assertion spear-phishing attacks are easily defended against, Alperovitch says it’s difficult to deter and prevent attack techniques such as the ones used in Night Dragon.
“At the end of the day, there is nothing you can really do to deter attacks like these. The best you can hope for is to detect the infiltration activity fast enough to block it and prevent catastrophic data loss,” he said.
The report states McAfee believes many actors participated in the Night Dragon attacks, but it claims to have identified one individual who provided the crucial infrastructure to the attackers. The individual is allegedly based in Heze City, Shandong Province, China, and is believed to be able to help identify those responsible for the attacks, according to the report.
“We are working with FBI and passing them information related to the investigation to help them identify the perpetrators,” Alperovitch said.
“It is a never-ending, vigilant fight with a very determined and resourceful attacker,” he said.
Alyssa Carducci ([email protected]) writes from Tampa, Florida.
On the Internet
“Global Energy Cyberattacks: ‘Night Dragon,'” McAfee Labs, February 10, 2011: http://heartland.org/infotech-news.org/article/29423/Global_Energy_Cyberattacks_Night_Dragon.html