Chinese hackers have been accused of launching a major cyberattack against Western energy companies that appears to have resulted in the theft of an unknown number of highly sensitive documents.
According to McAfee, which has dubbed the attacks ‘Night Dragon’ in a detailed analysis, the hacking of five unnamed companies in the global oil, energy, and petrochemical sector in a number of countries started in November 2009 and still ongoing.
Using hosts based in The Netherlands and the US, the first layer of the attacks comprised the compromise of extranets and VPNs using SQL injection exploits, the use of Trojan malware targeting the PCs and laptops of employees, and the monitoring of infrastructure such as firewall and other security systems.
All of this is pretty standard stuff as was the next stage of the attacks which was to gain covert admin privileges using old-fashioned remote admin tools (RATs) to penetrate and control key servers.
What stands out is the sheer scale of the attacks described by McAfee and the number and organisation of the participants, all of which are likely to see Night Dragon compared to the politically-charged events that unfolded after the Aurora attacks of 2010, also believed to originate in China.
It’s also clear that the information targeted in these attacks, not to mention the critical sector in which the attacked enterprises operated, will end up with accusations being levelled at the Chinese state.
What did the attackers steal? “Files of interest focused on operational oil and gas field production systems and financial documents related to field exploration and bidding that were later copied from the compromised hosts or via extranet servers. In some cases, the files were copied to and downloaded from company web servers by the attackers. In certain cases, the attackers collected data from SCADA systems,” reads the McAfee analysis.
McAfee steers away from blaming China outright but the implication is clear – the Chinese government is using cyberattacks to undermine competing interests on a scale only now becoming clear.
It’s also hinted that the activities go beyond the primary energy sector and probably the obvious companies too. The attacks might also have started long before 2009. Night Dragon might only be one part of a large whole.
As in the past, the attackers don’t appear to have covered their tracks well. McAfee describes the evidence of Chinese involvement as “circumstantial” but offers compelling details of how companies and even one unnamed individual in Heze City, Shandong Province played different parts in Night Dragon.
“McAfee has determined that all of the identified data exfiltration activity [from Trojans] occurred from Beijing-based IP addresses and operated inside the victim companies weekdays from 9:00 a.m. to 5:00 p.m,” McAfee documents in almost comic detail.
The RAT tools used were also of Chinese origin although the company stops short of assuming that the developers might have had some involvement.
Night Dragon is a huge coup for McAfee, which doesn't explain in detail how it uncovered that is was happening. Then again, the company was also key in detailing last year's Aurora hack but was later criticised for inaccuracies in its outline of that attack.