'Sloppy' Chinese hackers scored data-theft coup with 'Night Dragon'
Less sophisticated than Aurora or Stuxnet, attacks snared oil- and gas-company info, including SCADA data
Computerworld - Chinese hackers who were "incredibly sloppy" still managed to steal gigabytes of data from Western energy companies, a McAfee executive said today.
"They were very unsophisticated," said Dmitri Alperovitch, vice president of threat research at McAfee, speaking of the attackers. "They were incredibly sloppy, made mistakes and left lots of evidence."
The attacks, which McAfee has dubbed "Night Dragon" and had tracked since November 2009, may have started two years earlier. They are still occurring.
Night Dragon targeted at least five Western oil, gas and petrochemical companies, all multinational corporations, said Alperovitch, who declined to identify the firms. Some are clients of McAfee, which was called in to investigate.
According to McAfee, the attacks infiltrated energy companies' networks, and made off with gigabytes of proprietary information about contracts, oil- and gas-field operations, and the details on the SCADA (supervisory control and data acquisition) systems used to manage and monitor the firms' facilities.
Unlike the notorious Stuxnet worm, which also targeted SCADA systems -- and which analysts believe sabotaged Iran's uranium enrichment program -- there's no evidence that the Night Dragon hackers were trying to hijack or damage the energy corporations' physical facilities. Instead, said Alperovitch, everything points to a concerted espionage campaign that was looking for information on how to duplicate the oil and gas companies' operational practices.
"They were very successful in acquiring highly proprietary information," said Alperovitch.
McAfee is confident that the hackers are based in China, and cited evidence that included widely-used Chinese-language hacking tools available in the country's cybercriminal underground, and the fact that the attacks originated at Beijing-based IP addresses and were conducted only on weekdays during the 9 a.m.-to-5 p.m. workday hours, Beijing local time.
"There's a preponderance of evidence that this came from China," Alperovitch claimed. "This was a professional group that worked 9-to-5, unlike your freelance hackers who work all hours of the day."
In a report published Wednesday (download PDF), McAfee said that it had traced the hosting of the group's command and control servers to a company, one individual in particular, based in Heze City, Shandong Province. Heze City is in eastern China, about 400 miles south of Beijing.
"Although we don't believe this individual is the mastermind behind these attacks, it is likely this person is aware or has information that can help identify at least some of the individuals, groups, or organizations responsible for these intrusions," McAfee wrote in the report.
Alperovitch said it was impossible to tell whether the attacks were sanctioned by the Chinese government, or had been launched by private companies or other interests.
The Night Dragon attacks targeted companies' public Web sites, which were compromised using SQL injection exploits. Once a site had been hijacked, the hackers uploaded remote administration tools (RATs) -- legitimate tools used by IT administrators to monitor and manage servers and PCs -- that let them infiltrate the more sensitive intranets and internal company networks.
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Mitigating Security Risks at the Networks Edge This white paper provides strategies and best practices for distributed enterprises to protect their networks against vulnerabilities, threats, and malicious attacks.
- 5 Strategies for Modern Data Protection Read the five strategies for modern data protection that will not only help solve your current data management challenges but also ensure that...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- On-Demand Webinar: Mind the Gap! Watch the webinar featuring Bob Janssen, CTO and Co-Founder of RES Software, to start building a solid foundation for business and IT to... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!