Skip to: Content
Skip to: Site Navigation
Skip to: Search

US oil industry hit by cyberattacks: Was China involved?

MONITOR EXCLUSIVE: Breaches show how sophisticated industrial espionage is becoming. The big question: Who’s behind them?

(Page 3 of 5)

But, according to the source and documents obtained by the Monitor, her response was too late. The fake had already been forwarded to other people – and someone had clicked on the link it contained. Instantly, an unseen spy program started spreading stealthily across Marathon’s global computer network.

Skip to next paragraph

Nearly identical fake e-mails that appeared to come from senior executives were also sent to colleagues in key posts at ExxonMobil and ConocoPhillips – all containing a request for them to analyze the Economic Stabilization Act noted on the subject line, a source familiar with the attacks says.

How successful the cyberspies ultimately were – whoever they were – isn’t publicly known.

“Marathon does not comment on security matters due to the confidential nature of such issues,” the company said in a statement to the Monitor. “Our Company recognizes the critical importance of ensuring the security of all aspects of our operations and to accomplish this we continually monitor and review the security systems and processes we have in place to protect our facilities, employees and the communities in which we operate.”

The attacks that infiltrated Marathon, ExxonMobil, and ConocoPhillips penetrated their electronic defenses using a combination of fake e-mails and customized spyware programs to target specific data, according to multiple sources and documents.

Such customized attacks first began infiltrating corporate computer networks in low numbers around 2004, but have become far more common in the past year. An estimated $1 trillion in intellectual property was stolen worldwide through cyberspace in 2008, according to a study last year by the antivirus company McAfee.

“We’ve seen across many industries in recent months a very targeted type of attack,” says Rob Lee, a computer forensics expert and director at Mandiant, a cybersecurity company in Alexandria, Va. “These are professionals [working in teams], not people doing this at night.”

Many experts say the theft of this kind of information – about, for instance, the temperature and valve settings of chemical plant processes or the source code of a software company – can give competitors an advantage, and over time could degrade America’s global economic competitiveness.

“Identity theft is small potatoes compared to this new type of attack we’ve been seeing the past 18 months,” says Scott Borg, who heads the US Cyber Consequences Unit, a nonprofit that advises government and the private sector. “This is a gigantic loss with significant economic damage.”

Yet it’s often hard to prove – or even know – if outsiders have infiltrated a network or pilfered any information. Many companies are unwilling to tell shareholders or law enforcement that they’ve been attacked.

Even more basic, many corporate executives aren’t aware of how sophisticated the new espionage software has become and cling to outdated forms of electronic defense.

“Antivirus software misses more than 20 percent of the Trojans in my testing,” says Paul Williams, a cybersecurity expert who spoke at a recent oil and gas industry conference in Houston.

One new type of intruder, for instance, is customized “zero-day” spyware – so-called because its digital signature is so new that it has not yet been catalogued by antivirus companies. “Phishing,” trying to acquire sensitive information through fraudulent e-mails or instant messages, is a common criminal technique. A more insidious variant, “spear-phishing,” customizes the fake e-mail for a company in the hope of fooling key personnel into introducing the spyware throughout a computer network.

How to keep prying eyes out of your computer network

The computer security systems of many major corporations today are a Maginot line: Hackers are all too often overwhelming the defenders.

New forms of customized fake e-mails and other sophisticated programs can easily breach computer firewalls. Cyberthieves are devising new strains of spyware quicker than many companies can thwart them with antivirus software.

In the burgeoning world of Internet espionage, the advantage seems to be increasingly tipping toward the spies.

“Attackers’ capabilities are racing ahead while many companies don’t yet realize the full threat they face,” says Paul Williams, a cybersecurity expert who spoke at a recent oil industry conference in Houston.

To redress the balance, experts offer several suggestions. One is for companies to become more zealous about monitoring critical information as it moves across their own networks. Often, companies are vigilant about setting up secure walls around their systems that try to prevent offending viruses and other spyware from getting in.

But they are usually less rigorous in monitoring key information that is going out of the network, which can be a window into nefarious activity that might be going on and who’s behind it, according to Daniel Geer, chief information security officer for In-Q-Tel, a nonprofit venture capital firm funded by the Central Intelligence Agency. “Companies need full instrumentation to detect at what point and where access to critical data takes place,” he says. “What’s required is defending data and monitoring its use.”

That may sound a lot like “Big Brother” knocking at the door – and it does worry people. But Dr. Geer, author of the book “Economics and Strategies of Data Security,” argues that rather than zeroing in on people, firms should first:

• Identify critical data and then adopt systems so that you know how often the information is being accessed, by whom, and where it is going. Data that is valuable should be monitored at a level “in proportion to its value,” he writes.

• Make data security a principal focus of the company, not just an afterthought. That would include developing both surveillance and “interdiction” capability to be able to cut off access to key data – swiftly. This means built-in, rather than bolted on, security.

“We are kidding ourselves if we think that the attractive benefits of the digital lifestyle, whether for persons or companies, don’t come with a serious price in the form of data control,” he writes in his book.

“Infrastructure can be replaced,” he adds in an interview. “But data lost is a tragedy.

– Mark Clayton

A glossary of cyberthievery

Phishing: Fraudulent bid to gain user names, passwords, and other sensitive information by appearing as a trusted source, usually in e-mails or instant messages.

Spear-phishing: Customized version of phishing directed at specific people, such as senior executives in companies. It might be a fake e-mail sent in the name of a boss to an associate.

Trojan horse: Computer program that seems to perform a useful function but instead aids unauthorized access to a network. They are often activated by links in fake e-mails.

Zero-day spyware: Program that is used to hack into a system on or before the first day engineers have developed software to thwart it.

“Level 3” threat: State-sponsored teams of experts that breach a system using a variety of artful tools. The goal is often long-term infiltration.

Sources: Wikipedia, Monitor research