Chinese Attackers Grab Data from Energy Companies

Hackers from China have been stealing internal documents from energy companies for at least two years, and possibly up to four. McAfee has named the hackers Night Dragon and described them as "incredibly sloppy." The Night Dragon hackers exploited holes to compromise web servers, McAfee said, and could attack other industries.

In another time, Night Dragon could have been the name of a Chinese pirate ship. In the early 21st century, it's the name that security firm McAfee has given to a group of hackers from that country who have penetrated energy companies' networks and confiscated internal documents for at least two years, and possibly up to four. On Friday, McAfee Vice President Dmitri Alperovitch described the attacks to news media as "unsophisticated," but noted that they were still effective in stealing a wide variety of documents over a sustained period of time. He added that they were "incredibly sloppy, made mistakes, and left lots of evidence."
Night Dragon's Techniques
According to Alperovitch, the Night Dragon hackers attacked at least five Western oil, gas and petrochemical companies, although he didn't provide names. Some are clients of McAfee, which is how the company became involved.
In a report on the attacks released Thursday, McAfee said they involved "social engineering, spear-phishing attacks, exploitation of Microsoft Windows operating system vulnerabilities, Microsoft Active Directory compromises, and the use of remote administration tools."
Basic activities of the hackers, the report said, included compromising company extranet web servers through SQL-injection techniques that allowed remote command execution. Commonly available hacker tools were uploaded to compromised servers, providing into the company's intranet, and then to internal desktops and servers. Additional usernames and passwords were obtained, using "password-cracking and pass-the-hash tools."
Compromised web servers were used as "command and control" servers, from which the attackers disabled Microsoft Internet Explorer proxy settings -- thus acquiring direct communication from infected machines to the Internet.
SCADA Systems
The purloined information included contracts, data about field operations, and information about monitoring systems. The monitoring operations were managed by supervisory control and data acquisition (SCADA) systems, which were also the target of the infamous Stuxnet worm that may have disrupted Iran's uranium-enrichment effort. However, disruption doesn't seem to have been the objective, but corporate espionage was.
The country of origin was deduced because the hackers used Chinese-language software tools, by originating IP addresses from the Chinese mainland, and because the attacks took place during business hours -- Beijing time.
McAfee noted that attacks on Google and WikiLeaks document disclosures, both in 2010, "have highlighted the fact that external and internal threats are nearly impossible to prevent." In light of that, the company said, it decided to share the Night Dragon attacks with the public.
McAfee said these kinds of sustained attacks have now "moved beyond the defense industrial base, government and military computers to include global corporate and commercial targets." Night Dragon focused on the energy sector, but, the report said, the same techniques can be used on any industry, and the target has increasingly become intellectual property.