Chinese hackers working regular business hours shifts stole sensitive intellectual property from energy companies for as long as four years using relatively unsophisticated intrusion methods in an operation dubbed "Night Dragon," according to a new report from security vendor McAfee.
The oil, gas and petrochemical companies targeted were hit with technical attacks on their public-facing Web sites, said Greg Day , director of security strategy. The hackers also used persuasive social-engineering techniques to get key executives in Kazakhstan, Taiwan, Greece, and the U.S. to divulge information.
The attacks have been linked to China due to the use of Chinese hacking tools commonly seen on underground hacking forums. Further, the attacks appeared to originate from computers on IP (Internet protocol) addresses in Beijing, between 9 a.m. to 5 p.m. local time there, suggesting that the culprits were regular company employees rather than freelance or unprofessional hackers, McAfee said in its report [PDF].
Although McAfee said a group of hackers likely executed the attacks, it had pinpointed "one individual" located in Heze City in Shandong Province "who has provided the crucial C&C infrastructure to the attackers."
"It is likely this person is aware or has information that can help identify at least some of the individuals, groups, or organizations responsible for these intrusions," McAfee said. Day said it is routine for McAfee to notify law enforcement in such instances.
McAfee's report is just the latest to underscore the continuing efforts of hackers to steal sensitive corporate information. In late 2009, Google said it had seen attacks believed to come from China, which targeted dozens of other multinational companies, called "Operation Aurora."
McAfee did not publicly identify the companies attacked, but Day said some employed McAfee's professional services consultants.
Writing on a company blog, McAfee's CTO George Kurtz said the attackers used "an elaborate mix of hacking techniques" but methods and tools that were "relatively unsophisticated."
But while seemingly downplaying the hackers' methods, McAfee admitted that it had only recently been able to detect the broad pattern.
"Only through recent analysis and the discovery of common artifacts and evidence correlation have we been able to determine that a dedicated effort has been ongoing for at least two years, and likely as many as four," the report said.
Day said that despite penetration testing designed to ensure a company's IT systems are secure, the breadth and complexity of corporate computer systems has made it increasingly difficult to link malicious actions together.
"I don't want to say it's the thing right under the nose that you miss but it's the very reality that things get through due to the depth and scope of the world we have to deal with today," Day said. "We keep seeing all kinds of infiltration because of that challenge."
Starting in November 2009, covert cyberattacks were launched against several global oil, energy, and petrochemical companies. The attackers targeted proprietary operations and project-financing information on oil and gas field bids and operations. This information is highly sensitive and can make or break multibillion dollar deals in this extremely competitive industry.-----------------------------------------------------
McAfee has identified the tools, techniques, and network activities used in these attacks, which continue on to this day. These attacks have involved an elaborate mix of hacking techniques including social engineering, spear-phishing, Windows exploits, Active Directory compromises, and the use of remote administration tools (RATs).
While the list above may seem impressive to the layperson, these methods and tools are relatively unsophisticated. The tools simply appear to be standard host administration techniques that utilize administrative credentials. This is largely why they are able to evade detection by standard security software and network policies.
We have also taken a close look at who might be behind these attacks. We have strong evidence suggesting that the attackers were based in China. The tools, techniques, and network activities used in these attacks originate primarily in China. These tools are widely available on the Chinese Web forums and tend to be used extensively by Chinese hacker groups.McAfee has determined identifying features to assist companies with detection and investigation.
McAfee Stinger includes detection for 'Night Dragon' sigantures...