Skip the navigation

'Sloppy' Chinese hackers scored data-theft coup with 'Night Dragon'

Less sophisticated than Aurora or Stuxnet, attacks snared oil- and gas-company info, including SCADA data

February 11, 2011 12:47 PM ET

Computerworld - Chinese hackers who were "incredibly sloppy" still managed to steal gigabytes of data from Western energy companies, a McAfee executive said today.

"They were very unsophisticated," said Dmitri Alperovitch, vice president of threat research at McAfee, speaking of the attackers. "They were incredibly sloppy, made mistakes and left lots of evidence."

The attacks, which McAfee has dubbed "Night Dragon" and had tracked since November 2009, may have started two years earlier. They are still occurring.

Night Dragon targeted at least five Western oil, gas and petrochemical companies, all multinational corporations, said Alperovitch, who declined to identify the firms. Some are clients of McAfee, which was called in to investigate.

According to McAfee, the attacks infiltrated energy companies' networks, and made off with gigabytes of proprietary information about contracts, oil- and gas-field operations, and the details on the SCADA (supervisory control and data acquisition) systems used to manage and monitor the firms' facilities.

Unlike the notorious Stuxnet worm, which also targeted SCADA systems -- and which analysts believe sabotaged Iran's uranium enrichment program -- there's no evidence that the Night Dragon hackers were trying to hijack or damage the energy corporations' physical facilities. Instead, said Alperovitch, everything points to a concerted espionage campaign that was looking for information on how to duplicate the oil and gas companies' operational practices.

"They were very successful in acquiring highly proprietary information," said Alperovitch.

McAfee is confident that the hackers are based in China, and cited evidence that included widely-used Chinese-language hacking tools available in the country's cybercriminal underground, and the fact that the attacks originated at Beijing-based IP addresses and were conducted only on weekdays during the 9 a.m.-to-5 p.m. workday hours, Beijing local time.

"There's a preponderance of evidence that this came from China," Alperovitch claimed. "This was a professional group that worked 9-to-5, unlike your freelance hackers who work all hours of the day."

In a report published Wednesday (download PDF), McAfee said that it had traced the hosting of the group's command and control servers to a company, one individual in particular, based in Heze City, Shandong Province. Heze City is in eastern China, about 400 miles south of Beijing.

"Although we don't believe this individual is the mastermind behind these attacks, it is likely this person is aware or has information that can help identify at least some of the individuals, groups, or organizations responsible for these intrusions," McAfee wrote in the report.

Alperovitch said it was impossible to tell whether the attacks were sanctioned by the Chinese government, or had been launched by private companies or other interests.

The Night Dragon attacks targeted companies' public Web sites, which were compromised using SQL injection exploits. Once a site had been hijacked, the hackers uploaded remote administration tools (RATs) -- legitimate tools used by IT administrators to monitor and manage servers and PCs -- that let them infiltrate the more sensitive intranets and internal company networks.

Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!