Skip to: Content
Skip to: Site Navigation
Skip to: Search

US oil industry hit by cyberattacks: Was China involved?

MONITOR EXCLUSIVE: Breaches show how sophisticated industrial espionage is becoming. The big question: Who’s behind them?

(Page 4 of 5)

Once a bogus link is clicked on, a single intruding piece of advanced spyware can change digital signatures to evade detection, spin off decoys, and lie low while waiting to pilfer targeted information. It gives clandestine control of a network over to the outside attackers. When the program finds data, it encrypts the information and sends it back to the cyberthieves.

Skip to next paragraph

“I can confirm for you that this type of advanced attack is happening to companies across the US today,” says Daniel Geer, chief information security officer for In-Q-Tel, a nonprofit venture capital firm funded by the Central Intelligence Agency.

The new cyberwarfare has become complex enough that specialized teams are used to carry out different operations. Often, an “intrusion team” of professional hackers will work to breach the system. An “exfiltration team” will retrieve the data. Another unit might be dedicated to maintaining an electronic foothold in the network for years. “There are clear lines of responsibility between different actors going on,” says Mr. Lee of Mandiant.

Fake “phishing” e-mails are a familiar problem in corporate America and usually easily dealt with. Oil companies employ some of the top computer security talent. But the Nov. 13, 2008, e-mail to the executive at Marathon was not an ordinary phishing e-mail, as company officials found out when the FBI contacted them.

Agents told the companies that their computer networks were being covertly manipulated by outsiders and proprietary information had been flowing out, according to the source and documents. (FBI officials in Washington and Houston refused to comment on the cases or to acknowledge that they were involved in them.)

Once alerted, the Marathon team began finding other e-mail accounts, passwords, and personal computers that were “compromised,” says the source and documents show.

On Feb. 5, 2009, a handful of senior oil company executives and key technology people listened as federal officials from the National Cyber Investigative Joint Task Force in Fairfax, Va., – whose partner agencies include the Federal Bureau of Investigation, Secret Service, and members of the US intelligence community – began sharing some of what they had detected, documents show. Federal officials told the companies, for instance, that conventional defenses like antivirus software were not likely to be effective against “state-sponsored attacks,” the documents show.

Further, based on the kind of information that was being stolen, federal officials said a key target appeared to be bid data potentially valuable to “state-owned energy companies,” according to a written summary of the meeting. Marathon and other oil companies spend billions worldwide to locate new deposits. Most oil “lease blocks” produce little of value. But a few yield vast returns, and the estimates of where oil might be found and how much it might yield could give an outside entity a big advantage in bidding wars for prime leases.

China would certainly be interested in this kind of data, experts say. With the country’s economy consuming huge amounts of energy, China’s state-owned oil companies have been among the most aggressive in going after available leases around the world, particularly in Nigeria and Angola, where many US companies are also competing for tracts.

How to keep prying eyes out of your computer network

The computer security systems of many major corporations today are a Maginot line: Hackers are all too often overwhelming the defenders.

New forms of customized fake e-mails and other sophisticated programs can easily breach computer firewalls. Cyberthieves are devising new strains of spyware quicker than many companies can thwart them with antivirus software.

In the burgeoning world of Internet espionage, the advantage seems to be increasingly tipping toward the spies.

“Attackers’ capabilities are racing ahead while many companies don’t yet realize the full threat they face,” says Paul Williams, a cybersecurity expert who spoke at a recent oil industry conference in Houston.

To redress the balance, experts offer several suggestions. One is for companies to become more zealous about monitoring critical information as it moves across their own networks. Often, companies are vigilant about setting up secure walls around their systems that try to prevent offending viruses and other spyware from getting in.

But they are usually less rigorous in monitoring key information that is going out of the network, which can be a window into nefarious activity that might be going on and who’s behind it, according to Daniel Geer, chief information security officer for In-Q-Tel, a nonprofit venture capital firm funded by the Central Intelligence Agency. “Companies need full instrumentation to detect at what point and where access to critical data takes place,” he says. “What’s required is defending data and monitoring its use.”

That may sound a lot like “Big Brother” knocking at the door – and it does worry people. But Dr. Geer, author of the book “Economics and Strategies of Data Security,” argues that rather than zeroing in on people, firms should first:

• Identify critical data and then adopt systems so that you know how often the information is being accessed, by whom, and where it is going. Data that is valuable should be monitored at a level “in proportion to its value,” he writes.

• Make data security a principal focus of the company, not just an afterthought. That would include developing both surveillance and “interdiction” capability to be able to cut off access to key data – swiftly. This means built-in, rather than bolted on, security.

“We are kidding ourselves if we think that the attractive benefits of the digital lifestyle, whether for persons or companies, don’t come with a serious price in the form of data control,” he writes in his book.

“Infrastructure can be replaced,” he adds in an interview. “But data lost is a tragedy.

– Mark Clayton

A glossary of cyberthievery

Phishing: Fraudulent bid to gain user names, passwords, and other sensitive information by appearing as a trusted source, usually in e-mails or instant messages.

Spear-phishing: Customized version of phishing directed at specific people, such as senior executives in companies. It might be a fake e-mail sent in the name of a boss to an associate.

Trojan horse: Computer program that seems to perform a useful function but instead aids unauthorized access to a network. They are often activated by links in fake e-mails.

Zero-day spyware: Program that is used to hack into a system on or before the first day engineers have developed software to thwart it.

“Level 3” threat: State-sponsored teams of experts that breach a system using a variety of artful tools. The goal is often long-term infiltration.

Sources: Wikipedia, Monitor research