Possible China links in oil company cyberattacks

ExxonMobil, Marathon, ConocoPhilips attacked, the Christian Science Monitor reports

At least three U.S. oil companies were hit by a series of targeted cyberattacks that may have originated in China, according to a report today in the Christian Science Monitor.

The attacks occurred in 2008, and were directed at Marathon Oil, ExxonMobil, and ConocoPhillips, the report, which quoted unnamed sources, said. The companies did not learn about the attacks or the extent to which they were compromised until they were informed about it by the FBI sometime in 2009.

The attacks, which have been a closely guarded secret of oil companies and federal authorities, were aimed at extracting "bid data," or information detailing the quantity, value and location of oil resources, the Monitor said quoting sources and documents on the attacks that it had obtained.

The compromised data included e-mail passwords, messages, other information tied to several C-level executives with access to proprietary exploration and discovery information, the Monitor quoted its sources as saying.

There is no confirmed China link, but data from at least one of the compromised computers was found being transmitted to a computer apparently based in China and one document referred to the breaches as being caused by the "China virus", the report said.

The Monitor story, which is based on a five month-long investigation, said the intrusions left dozens of computers across the three companies vulnerable to data theft. The thefts involved the use of custom-made spyware that was designed to evade whatever controls the companies might have had in place.

The initial compromise appears to have occurred in November 2008, via poisoned e-mails directed at numerous senior level executives at the companies. The letters, which contained a request for the recipients to analyze the Economic Stabilization Act, were each designed to appear to come from a person known to the recipient. A link embedded in the e-mail caused the malware program to be downloaded to the user's system from where it spread to other systems.

None of the three companies mentioned in the story responded to the Monitor's request for details on the attack, it claimed.

News of the attacks come in the wake of the recent disclosure that Google and at least 30 other high-tech companies being targeted by cyberattacks apparently originating from China.

The attacks have caused widespread concern and evoked a formal protest from the U.S. Meanwhile China itself has denied any role in the compromises and has claimed that it too has been the victim of numerous such attacks.

The attacks against the oil companies, and more recently Google and the other high-tech firms are highlighting what some security analysts call the Advanced Persistent Threat (APT) confronting a growing number of U.S commercial entities.

The term has been used for some time in government and military domains to describe targeted cyberattacks carried out by highly organized state-sponsored groups with deep technical skills and computing resources.

Such attacks are typically highly targeted, stealthy, customized and persistent. They also often involve intensive surveillance and advanced social engineering.

In many cases, the attacks target highly placed individuals within organizations who are tricked into visiting malicious sites or downloading malicious software onto their systems. Their goal in most cases is to steal trade secrets rather than personal or financial data.

Government networks, especially those of the Department of Defense, have been the target of such advanced persistent threats for years. But more recently the attacks have begun to spill over into the commercial realm.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, send e-mail to jvijayan@computerworld.com or subscribe to Jaikumar's RSS feed .

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies