US oil industry hit by cyberattacks: Was China involved?
MONITOR EXCLUSIVE: Breaches show how sophisticated industrial espionage is becoming. The big question: Who’s behind them?
(Page 5 of 5)
“Knowing which one of those blocks is oil-bearing – and which to go for and which not – is clearly worth something,” says Paul Dorey, former chief information security officer at BP, the world’s third-largest oil company, and now a computer-security consultant in London. “If I was a foreign government, that’s the data I would want to get – and any analysis that reveals [a company’s] intention. Yes, that would be pretty valuable.”Skip to next paragraph
Subscribe Today to the Monitor
Still, a simple thirst for oil is no proof that a country is conducting corporate espionage. Even the suggestion, contained in one of the documents, that some data had flowed from a ConocoPhillips computer to a computer in China could have been the result of some other nation’s cyberspy unit co-opting Chinese servers to cover their tracks, experts say. Lee and other specialists admit that it will be difficult, and perhaps impossible, to ever determine definitively who was behind the attacks.
Even so, the oil industry breaches coincide with a growing number of coordinated cyberassaults in the US that many experts do blame on the Chinese. The Google allegations are just the most recent.
“What I’m saying to you is that it’s not just the oil and gas industry that’s vulnerable to this kind of attack: It’s any industry that the Chinese decide they want to take a look at,” says an FBI source. “It’s like they’re just going down the street picking out what they want to have.”
Last March, Canadian researchers identified 1,295 computers in 103 countries infected by spyware and operated by someone as a “GhostNet” or cyberspy network. In each case, a Trojan program was downloaded that allowed the attackers control of the computers traceable, the report said, to “commercial Internet accounts on the island of Hainan,” which is the home of the Chinese Army’s intelligence facility.
In October, a report by the US-China Economic and Security Review Commission summarized the threat bluntly. “China is likely using its maturing computer network exploitation capability to support intelligence collection against the US Government and industry by conducting a long term, sophisticated, computer network exploitation campaign.”
Chinese officials refuted the report when it came out, and, more recently, a spokesman for the Chinese Embassy in Washington, Wang Baodong, denied any Chinese involvement in the oil and gas industry attacks, saying the country forbids “all forms of cybercrimes, including hacking activities.”
Others remain skeptical. “The China threat is constant,” says Shawn Carpenter, principal forensics analyst for NetWitness, a cybersecurity company. “If there’s valuable intellectual property out there, there are people in China and elsewhere who want to take it. It’s the new battlefield – low risk and low investment with high gain.”
How to keep prying eyes out of your computer network
The computer security systems of many major corporations today are a Maginot line: Hackers are all too often overwhelming the defenders.
New forms of customized fake e-mails and other sophisticated programs can easily breach computer firewalls. Cyberthieves are devising new strains of spyware quicker than many companies can thwart them with antivirus software.
In the burgeoning world of Internet espionage, the advantage seems to be increasingly tipping toward the spies.
“Attackers’ capabilities are racing ahead while many companies don’t yet realize the full threat they face,” says Paul Williams, a cybersecurity expert who spoke at a recent oil industry conference in Houston.
To redress the balance, experts offer several suggestions. One is for companies to become more zealous about monitoring critical information as it moves across their own networks. Often, companies are vigilant about setting up secure walls around their systems that try to prevent offending viruses and other spyware from getting in.
But they are usually less rigorous in monitoring key information that is going out of the network, which can be a window into nefarious activity that might be going on and who’s behind it, according to Daniel Geer, chief information security officer for In-Q-Tel, a nonprofit venture capital firm funded by the Central Intelligence Agency. “Companies need full instrumentation to detect at what point and where access to critical data takes place,” he says. “What’s required is defending data and monitoring its use.”
That may sound a lot like “Big Brother” knocking at the door – and it does worry people. But Dr. Geer, author of the book “Economics and Strategies of Data Security,” argues that rather than zeroing in on people, firms should first:
• Identify critical data and then adopt systems so that you know how often the information is being accessed, by whom, and where it is going. Data that is valuable should be monitored at a level “in proportion to its value,” he writes.
• Make data security a principal focus of the company, not just an afterthought. That would include developing both surveillance and “interdiction” capability to be able to cut off access to key data – swiftly. This means built-in, rather than bolted on, security.
“We are kidding ourselves if we think that the attractive benefits of the digital lifestyle, whether for persons or companies, don’t come with a serious price in the form of data control,” he writes in his book.
“Infrastructure can be replaced,” he adds in an interview. “But data lost is a tragedy.
– Mark Clayton
A glossary of cyberthievery
Phishing: Fraudulent bid to gain user names, passwords, and other sensitive information by appearing as a trusted source, usually in e-mails or instant messages.
Spear-phishing: Customized version of phishing directed at specific people, such as senior executives in companies. It might be a fake e-mail sent in the name of a boss to an associate.
Trojan horse: Computer program that seems to perform a useful function but instead aids unauthorized access to a network. They are often activated by links in fake e-mails.
Zero-day spyware: Program that is used to hack into a system on or before the first day engineers have developed software to thwart it.
“Level 3” threat: State-sponsored teams of experts that breach a system using a variety of artful tools. The goal is often long-term infiltration.
Sources: Wikipedia, Monitor research