US oil industry hit by cyberattacks: Was China involved?
MONITOR EXCLUSIVE: Breaches show how sophisticated industrial espionage is becoming. The big question: Who’s behind them?
At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in the growing global war of Internet espionage.Skip to next paragraph
Subscribe Today to the Monitor
The oil and gas industry breaches, the mere existence of which has been a closely guarded secret of oil companies and federal authorities, were focused on one of the crown jewels of the industry: valuable “bid data” detailing the quantity, value, and location of oil discoveries worldwide, sources familiar with the attacks say and documents obtained by the Monitor show.
The companies – Marathon Oil, ExxonMobil, and ConocoPhillips – didn’t realize the full extent of the attacks, which occurred in 2008, until the FBI alerted them that year and in early 2009. Federal officials told the companies proprietary information had been flowing out, including to computers overseas, a source familiar with the attacks says and documents show.
The data included e-mail passwords, messages, and other information tied to executives with access to proprietary exploration and discovery information, the source says.
While China’s involvement in the attacks is far from certain, at least some data was detected flowing from one oil company computer to a computer in China, a document indicates. Another oil company’s security personnel privately referred to the breaches in one of the documents as the “China virus.”
“What these guys [corporate officials] don’t realize, because nobody tells them, is that a major foreign intelligence agency has taken control of major portions of their network,” says the source familiar with the attacks. “You can’t get rid of this attacker very easily. It doesn’t work like a normal virus. We’ve never seen anything this clever, this tenacious.”
Neither Marathon Oil, ExxonMobil, nor ConocoPhillips would comment on the attacks or confirm that they had happened. But the breaches, which left dozens of computers and their data vulnerable in those companies’ global networks, were confirmed over a five-month Monitor investigation in interviews with dozens of oil industry insiders, cybersecurity experts, former government officials, and by documents describing the attacks
“We’ve seen real, targeted attacks on our C-level [most senior] executives,” says one oil company official, who, like others familiar with various aspects of the attacks, spoke only on condition of anonymity. “I was at a meeting with the FBI earlier this year  that was pretty eye-opening.”
The new type of attack involves custom-made spyware that is virtually undetectable by antivirus and other electronic defenses traditionally used by corporations. Experts say the new cyberburglary tools pose a serious threat to corporate America and the long-term competitiveness of the nation.
“We’ve had friends in the petroleum industry express grave concern because they’ve spent hundreds of millions of dollars finding out where the next big oil discovery will be,” says Ed Skoudis, cofounder of InGuardians, a computer security firm, who was called last year to help a big oil and gas company secure its bid data after its computer network was infiltrated. He wouldn’t name the company. “The attacker would be saving huge expenses for himself by stealing that data.”
How to keep prying eyes out of your computer network
The computer security systems of many major corporations today are a Maginot line: Hackers are all too often overwhelming the defenders.
New forms of customized fake e-mails and other sophisticated programs can easily breach computer firewalls. Cyberthieves are devising new strains of spyware quicker than many companies can thwart them with antivirus software.
In the burgeoning world of Internet espionage, the advantage seems to be increasingly tipping toward the spies.
“Attackers’ capabilities are racing ahead while many companies don’t yet realize the full threat they face,” says Paul Williams, a cybersecurity expert who spoke at a recent oil industry conference in Houston.
To redress the balance, experts offer several suggestions. One is for companies to become more zealous about monitoring critical information as it moves across their own networks. Often, companies are vigilant about setting up secure walls around their systems that try to prevent offending viruses and other spyware from getting in.
But they are usually less rigorous in monitoring key information that is going out of the network, which can be a window into nefarious activity that might be going on and who’s behind it, according to Daniel Geer, chief information security officer for In-Q-Tel, a nonprofit venture capital firm funded by the Central Intelligence Agency. “Companies need full instrumentation to detect at what point and where access to critical data takes place,” he says. “What’s required is defending data and monitoring its use.”
That may sound a lot like “Big Brother” knocking at the door – and it does worry people. But Dr. Geer, author of the book “Economics and Strategies of Data Security,” argues that rather than zeroing in on people, firms should first:
• Identify critical data and then adopt systems so that you know how often the information is being accessed, by whom, and where it is going. Data that is valuable should be monitored at a level “in proportion to its value,” he writes.
• Make data security a principal focus of the company, not just an afterthought. That would include developing both surveillance and “interdiction” capability to be able to cut off access to key data – swiftly. This means built-in, rather than bolted on, security.
“We are kidding ourselves if we think that the attractive benefits of the digital lifestyle, whether for persons or companies, don’t come with a serious price in the form of data control,” he writes in his book.
“Infrastructure can be replaced,” he adds in an interview. “But data lost is a tragedy.
– Mark Clayton
A glossary of cyberthievery
Phishing: Fraudulent bid to gain user names, passwords, and other sensitive information by appearing as a trusted source, usually in e-mails or instant messages.
Spear-phishing: Customized version of phishing directed at specific people, such as senior executives in companies. It might be a fake e-mail sent in the name of a boss to an associate.
Trojan horse: Computer program that seems to perform a useful function but instead aids unauthorized access to a network. They are often activated by links in fake e-mails.
Zero-day spyware: Program that is used to hack into a system on or before the first day engineers have developed software to thwart it.
“Level 3” threat: State-sponsored teams of experts that breach a system using a variety of artful tools. The goal is often long-term infiltration.
Sources: Wikipedia, Monitor research