'Sloppy' Chinese hackers scored data-theft coup with 'Night Dragon'
Less sophisticated than Aurora or Stuxnet, attacks snared oil- and gas-company info, including SCADA data
Computerworld - Chinese hackers who were "incredibly sloppy" still managed to steal gigabytes of data from Western energy companies, a McAfee executive said today.
"They were very unsophisticated," said Dmitri Alperovitch, vice president of threat research at McAfee, speaking of the attackers. "They were incredibly sloppy, made mistakes and left lots of evidence."
The attacks, which McAfee has dubbed "Night Dragon" and had tracked since November 2009, may have started two years earlier. They are still occurring.
Night Dragon targeted at least five Western oil, gas and petrochemical companies, all multinational corporations, said Alperovitch, who declined to identify the firms. Some are clients of McAfee, which was called in to investigate.
According to McAfee, the attacks infiltrated energy companies' networks, and made off with gigabytes of proprietary information about contracts, oil- and gas-field operations, and the details on the SCADA (supervisory control and data acquisition) systems used to manage and monitor the firms' facilities.
Unlike the notorious Stuxnet worm, which also targeted SCADA systems -- and which analysts believe sabotaged Iran's uranium enrichment program -- there's no evidence that the Night Dragon hackers were trying to hijack or damage the energy corporations' physical facilities. Instead, said Alperovitch, everything points to a concerted espionage campaign that was looking for information on how to duplicate the oil and gas companies' operational practices.
"They were very successful in acquiring highly proprietary information," said Alperovitch.
McAfee is confident that the hackers are based in China, and cited evidence that included widely-used Chinese-language hacking tools available in the country's cybercriminal underground, and the fact that the attacks originated at Beijing-based IP addresses and were conducted only on weekdays during the 9 a.m.-to-5 p.m. workday hours, Beijing local time.
"There's a preponderance of evidence that this came from China," Alperovitch claimed. "This was a professional group that worked 9-to-5, unlike your freelance hackers who work all hours of the day."
In a report published Wednesday (download PDF), McAfee said that it had traced the hosting of the group's command and control servers to a company, one individual in particular, based in Heze City, Shandong Province. Heze City is in eastern China, about 400 miles south of Beijing.
"Although we don't believe this individual is the mastermind behind these attacks, it is likely this person is aware or has information that can help identify at least some of the individuals, groups, or organizations responsible for these intrusions," McAfee wrote in the report.
Alperovitch said it was impossible to tell whether the attacks were sanctioned by the Chinese government, or had been launched by private companies or other interests.
The Night Dragon attacks targeted companies' public Web sites, which were compromised using SQL injection exploits. Once a site had been hijacked, the hackers uploaded remote administration tools (RATs) -- legitimate tools used by IT administrators to monitor and manage servers and PCs -- that let them infiltrate the more sensitive intranets and internal company networks.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts