In a detailed white paper, "Global Energy Cyberattacks: 'Night Dragon'" (.pdf) McAfee researchers said the attacks were first detected in November 2009 and may involve "many actors." The security vendor estimates the attacks may have been going on for as many as four years.These targets have now moved beyond the defense industrial base, government and military computers to include global corporate and commercial targets.
McAffe Inc. report,
"Well-coordinated, targeted attacks such as Night Dragon, orchestrated by a growing group of malicious attackers committed to their targets, are rapidly on the rise," McAfee said in its report. "These targets have now moved beyond the defense industrial base, government and military computers to include global corporate and commercial targets."
The energy sector has long been the target of cyberespionage. Last year, McAfee and the Center for Strategic and International Studies (CSIS) issued a report that highlighted serious lapses in cybersecurity at critical infrastructure facilities, including oil refineries and chemical and power plants. The report included the results of a survey of 600 IT and security executives from critical infrastructure enterprises. The oil and gas sector reported the highest rates of stealthy infiltration (71%), as opposed to 54% of respondents overall, with more than a third reporting multiple infiltrations every month. The oil and gas industry also had the highest rates of extortion.
In its report on Night Dragon, McAfee said it has identified one individual who provided the command-and-control infrastructure to the attackers. Originating from several locations in China, the attackers used command-and-control servers on hosted services in the U.S. as well as compromised servers in the Netherlands to wage their attacks.
In addition to the companies, the attackers also targeted "individuals and executives in Kazakhstan, Taiwan, Greece and the United States to acquire proprietary and highly confidential information," McAfee said.
McAfee said the methods of the attacks were relatively unsophisticated and appear to be "standard host administration techniques, using standard administrative credentials."Using automated tools, the attackers first employed SQL injection attacks to compromise the energy firms' Web servers. From there, hackers gained access to the firms' Intranet where they used password crackers to bypass authentication deployed on sensitive desktops and servers, McAfee said.
" This is largely why they are able to evade detection by standard security software and network policies," McAfee said. "Using the [remote administration tool] malware, they proceeded to connect to other machines (targeting executives) and exfiltrating email archives and other sensitive documents," McAfee said. The target was mobile worker laptops to compromise corporate VPN accounts.
McAfee issued a Night Dragon vulnerability detection tool to test whether systems are vulnerable to the types of methods used by the attackers.
"Files of interest focused on operational oil and gas field production systems and financial documents related to field exploration and bidding that were later copied from the compromised hosts or via extranet servers," McAfee said. "In some cases, the files were copied to and downloaded from company Web servers by the attackers. In certain cases, the attackers collected data from SCADA systems."