'Sloppy' Chinese hackers scored data-theft coup with 'Night Dragon'

Less sophisticated than Aurora or Stuxnet, attacks snared oil- and gas-company info, including SCADA data

Chinese hackers who were "incredibly sloppy" still managed to steal gigabytes of data from Western energy companies, a McAfee executive said today.

"They were very unsophisticated," said Dmitri Alperovitch, vice president of threat research at McAfee, speaking of the attackers. "They were incredibly sloppy, made mistakes and left lots of evidence."

The attacks, which McAfee has dubbed "Night Dragon" and had tracked since November 2009, may have started two years earlier. They are still occurring.

Night Dragon targeted at least five Western oil, gas and petrochemical companies, all multinational corporations, said Alperovitch, who declined to identify the firms. Some are clients of McAfee, which was called in to investigate.

According to McAfee, the attacks infiltrated energy companies' networks, and made off with gigabytes of proprietary information about contracts, oil- and gas-field operations, and the details on the SCADA (supervisory control and data acquisition) systems used to manage and monitor the firms' facilities.

Unlike the notorious Stuxnet worm, which also targeted SCADA systems -- and which analysts believe sabotaged Iran's uranium enrichment program -- there's no evidence that the Night Dragon hackers were trying to hijack or damage the energy corporations' physical facilities. Instead, said Alperovitch, everything points to a concerted espionage campaign that was looking for information on how to duplicate the oil and gas companies' operational practices.

"They were very successful in acquiring highly proprietary information," said Alperovitch.

McAfee is confident that the hackers are based in China, and cited evidence that included widely-used Chinese-language hacking tools available in the country's cybercriminal underground, and the fact that the attacks originated at Beijing-based IP addresses and were conducted only on weekdays during the 9 a.m.-to-5 p.m. workday hours, Beijing local time.

"There's a preponderance of evidence that this came from China," Alperovitch claimed. "This was a professional group that worked 9-to-5, unlike your freelance hackers who work all hours of the day."

In a report published Wednesday (download PDF), McAfee said that it had traced the hosting of the group's command and control servers to a company, one individual in particular, based in Heze City, Shandong Province. Heze City is in eastern China, about 400 miles south of Beijing.

"Although we don't believe this individual is the mastermind behind these attacks, it is likely this person is aware or has information that can help identify at least some of the individuals, groups, or organizations responsible for these intrusions," McAfee wrote in the report.

Alperovitch said it was impossible to tell whether the attacks were sanctioned by the Chinese government, or had been launched by private companies or other interests.

The Night Dragon attacks targeted companies' public Web sites, which were compromised using SQL injection exploits. Once a site had been hijacked, the hackers uploaded remote administration tools (RATs) -- legitimate tools used by IT administrators to monitor and manage servers and PCs -- that let them infiltrate the more sensitive intranets and internal company networks.

When they were inside the network perimeter, the attacks deployed password-cracking tools to access additional machines and data caches on the network, then disabled Internet Explorer's proxy settings to transfer the purloined information to their systems in China.

Additional attacks targeted specific individuals, including company executives, in attempts to dupe them into revealing their login usernames and passwords.

Although Chinese attacks against Western governments and firms have been alleged before -- the U.S. Department of Defense has been saying that since 2007 -- what stuck out in Night Dragon was its success with stock tools and techniques, said Alperovitch.

"This is at the other end of the spectrum from Aurora and Stuxnet," Alperovitch said, talking about the January 2010 attacks aimed at Google and dozens of other Western technology companies. Aurora, as the attacks became known, made off with proprietary Google information, including source code.

Google traced the Aurora attacks to Chinese hackers, prompting it to threaten shutting down its China operations. Last summer, Google compromised with China's authorities over censorship issues, and remains part of the China search scene.

Unlike either Aurora or the even more sophisticated Stuxnet, the Night Dragon attackers did not use an unpatched Microsoft vulnerability -- a "zero-day" in security parlance -- and relied on off-the-shelf hacking tools.

"Night Dragon was not as sophisticated as Aurora, and certainly not as sophisticated as Stuxnet," said Alperovitch. "It's unfortunate that attacks like this are still successful, especially on critical infrastructure like energy."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies