'Sloppy' Chinese hackers scored data-theft coup with 'Night Dragon'
Less sophisticated than Aurora or Stuxnet, attacks snared oil- and gas-company info, including SCADA data
Computerworld - Chinese hackers who were "incredibly sloppy" still managed to steal gigabytes of data from Western energy companies, a McAfee executive said today.
"They were very unsophisticated," said Dmitri Alperovitch, vice president of threat research at McAfee, speaking of the attackers. "They were incredibly sloppy, made mistakes and left lots of evidence."
The attacks, which McAfee has dubbed "Night Dragon" and had tracked since November 2009, may have started two years earlier. They are still occurring.
Night Dragon targeted at least five Western oil, gas and petrochemical companies, all multinational corporations, said Alperovitch, who declined to identify the firms. Some are clients of McAfee, which was called in to investigate.
According to McAfee, the attacks infiltrated energy companies' networks, and made off with gigabytes of proprietary information about contracts, oil- and gas-field operations, and the details on the SCADA (supervisory control and data acquisition) systems used to manage and monitor the firms' facilities.
Unlike the notorious Stuxnet worm, which also targeted SCADA systems -- and which analysts believe sabotaged Iran's uranium enrichment program -- there's no evidence that the Night Dragon hackers were trying to hijack or damage the energy corporations' physical facilities. Instead, said Alperovitch, everything points to a concerted espionage campaign that was looking for information on how to duplicate the oil and gas companies' operational practices.
"They were very successful in acquiring highly proprietary information," said Alperovitch.
McAfee is confident that the hackers are based in China, and cited evidence that included widely-used Chinese-language hacking tools available in the country's cybercriminal underground, and the fact that the attacks originated at Beijing-based IP addresses and were conducted only on weekdays during the 9 a.m.-to-5 p.m. workday hours, Beijing local time.
"There's a preponderance of evidence that this came from China," Alperovitch claimed. "This was a professional group that worked 9-to-5, unlike your freelance hackers who work all hours of the day."
In a report published Wednesday (download PDF), McAfee said that it had traced the hosting of the group's command and control servers to a company, one individual in particular, based in Heze City, Shandong Province. Heze City is in eastern China, about 400 miles south of Beijing.
"Although we don't believe this individual is the mastermind behind these attacks, it is likely this person is aware or has information that can help identify at least some of the individuals, groups, or organizations responsible for these intrusions," McAfee wrote in the report.
Alperovitch said it was impossible to tell whether the attacks were sanctioned by the Chinese government, or had been launched by private companies or other interests.
The Night Dragon attacks targeted companies' public Web sites, which were compromised using SQL injection exploits. Once a site had been hijacked, the hackers uploaded remote administration tools (RATs) -- legitimate tools used by IT administrators to monitor and manage servers and PCs -- that let them infiltrate the more sensitive intranets and internal company networks.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts