Chinese hackers break into oil companies' networks

Share this article:

Sophisticated hackers, believed to be from China, have broken into the networks of several global oil, energy and petrochemical companies, according to a report released late Wednesday by computer security firm McAfee.

The attackers used an elaborate cocktail of hacking techniques – including social engineering, spear phishing and the exploitation of Windows operating system vulnerabilities – to target and steal sensitive proprietary information about oil and gas field bids and operations, according to the report. The intrusions, which McAfee has dubbed “Night Dragon,” began in November 2009, Dave Marcus, director of security research and communications at McAfee Labs, told SCMagazineUS.com on Thursday.

Victim computers were located in the United States, Kazakhstan, Taiwan, the Netherlands and Greece, he said.

"We don't know how many potential victims there are," Marcus said. "We know there five, possibly 12. We are not at liberty to disclose the particular companies."

Data exfiltration may still be occurring at affected companies that do not yet know they have been attacked, he added.

The methods and tools used in the attack were relatively unsophisticated, George Kurtz, CTO of McAfee, wrote in a blog post Wednesday. The tools are widely available on Chinese web forums and are generally used exclusively in China.

“We have strong evidence suggesting that the attackers were based in China,” Kurtz wrote. “The tools, techniques and network activities used in these attacks originate primarily in China.”

There is, however, no evidence that the attacks were state sponsored, Marcus said.

Described as “methodical and progressive,” the attacks began when the extranet web servers of targeted companies were compromised through a common hacking technique known as SQL injection, giving the attackers system-level access and allowing remote-command execution, McAfee said. Readily available hacker tools were then uploaded on compromised web servers, providing an entryway into the company's intranet.

Password cracking tools were then used to obtain usernames and passwords, allowing attackers to burrow deeper into sensitive company desktops and servers.

The attackers would then disable Internet Explorer proxy settings, allowing for direct communication from infected machines to the internet, McAfee said. Remote administration tools, used to remotely connect to and manage computers, were then used to connect to the computers of corporate executives to hijack email archives and other sensitive documents.

Well-coordinated and targeted attacks like operation Night Dragon are on the rise and being launched against defense industrial bases, government and military computers, as well as global corporate and commercial targets, Kurtz said. These types of attacks generally aim to steal specific data or intellectual property.

The oil industry is competitive, and information about untapped reserves, the geography of an oil field or a company's calculations of the future cost of oil is all considered highly sensitive, Gary Warner, the former IT director for the Birmingham, Ala.-based oil and gas company Energen, told SCMagazineUS.com on Thursday.

Oil companies spend millions of dollars on research and development learning how to get the most oil out of a certain geological structure and, if stolen, that information could provide others with a huge competitive advantage, said Warner, now director of research in computer forensics at the University of Alabama at Birmingham.

McAfee has identified one person who provided the command-and-control infrastructure for the attacks, the company said. The individual, who is based in Heze City within the Shandong Province of China, is not the mastermind behind the attacks but runs a company that provides hosted servers in the United States and may be able to help identify the perpetrators,the company said.

All the data exfiltration occurred from Beijing-based IP addresses on weekdays from 9 a.m. to 5 p.m., Beijing time, suggesting that the perpetrators were working professionals rather than freelance or casual hackers, McAfee said.

Share this article:

Sign up to our newsletters

More in News

New backdoor 'Baccamun' spreads through ActiveX exploit

Symantec researchers revealed that the backdoor is dropped after attackers exploit a Windows ActiveX vulnerability.

Outdated browsers put U.K. users at risk of malware

A blog post on Check and Secure website said 70 percent of U.K. users haven't fully updated their internet browsers

Survey: 53 percent change privileged logins quarterly

A Lieberman Software survey highlights the issue or poor password management, even among security pros.