Several multinational oil companies were victims of cyberespionage by Chinese hackers who downloaded sensitive data from their corporate networks, including the companies’ crown jewels – “bid data” detailing oil discoveries worldwide, reported cybersecurity company McAfee on Thursday.
By November 2009, the hackers had launched waves of coordinated “covert cyberattacks” aimed at pilfering the computer networks of global oil, energy, and petrochemical companies, McAfee reported. The attacks may even have begun as many as four years ago – and are still continuing, McAfee's analysis revealed.
The hackers launched their attacks from several spots in China and were connected through Internet service providers in the United States and compromised servers in the Netherlands. From those platforms, the hackers worked to gain access to computers belonging to oil and gas executives in Kazakhstan, Taiwan, Greece, and the US. The first order of business was to steal passwords in order to gain access to company networks – and, after that, to proprietary information.
“The attackers targeted proprietary operations and project-financing information on oil and gas field bids and operations,” George Kurtz, chief technology officer for McAfee, wrote in his blog Wednesday. “This information is highly sensitive and can make or break multibillion dollar deals in this extremely competitive industry."
'Spear-phishing' via e-mail
Among techniques the hackers used were targeted “spear-phishing” attacks, in which the victim opens a custom-crafted e-mail designed to look as if it came from a boss or a coworker. Links in the e-mail typically connect to an infected site or open an infected attachment that installs a secret backdoor on the machine.
After gaining a foothold on oil executives’ laptops, the hackers were able to get direct access to the companies' networks – bypassing firewalls and other defenses, McAfee said. The hackers then began downloading “files of interest focused on operational oil and gas field production systems and financial documents related to field exploration and bidding,” it said.
In some instances, however, the cyberattackers also collected data from industrial control systems that can contain proprietary production data, such as pressure and temperature settings and valve openings needed to produce a product properly. That information is not only useful for competitors; it also could be used by saboteurs to create explosions or to tamper with product quality, although McAfee reported no signs of that kind of activity.
While most hackers cover their tracks by threading their way through a maze of computer servers spanning many nations, the ones in this case left a clear trail, said McAfee. China is definitely the origin of these cyberespionage attacks, it added.
“We have strong evidence suggesting that the attackers were based in China,” Mr. Kurtz wrote. “The tools, techniques, and network activities used in these attacks originate primarily in China. These tools are widely available on the Chinese Web forums and tend to be used extensively by Chinese hacker groups.”
McAfee's report did not identify the names or the number of oil companies involved. The Wall Street Journal, however, on Thursday reported that five oil companies were hit by the attacks.
Akin to the Monitor's findings
In January 2010, a Monitor investigative report found that cyberespionage attacks believed to come from China had infiltrated computer networks belonging to at least three global oil giants. Cybersecurity experts say the McAfee findings strongly echo that earlier Monitor report.
Neither Marathon Oil, ExxonMobil, nor ConocoPhillips realized the extent of cyberespionage attacks that hit them in 2008, until the FBI alerted them that year and in early 2009, the Monitor reported last year. Some key oil company data were detected flowing from one oil company computer to a computer in China, according to documents obtained by the Monitor.
Despite such warnings, “the oil and natural gas security community has been so far too focused on meeting security guidelines and not enough attention was given to protecting their systems against the virulent new attacks,” writes Alan Paller, director of research at SANS Institute, a computer security training company, in an e-mail interview. “But they are awakening.”
There is no indication at this time that any of the three companies cited in the earlier Monitor report are connected with the newly reported “Night Dragon” incident.
Though the Night Dragon attacks focused on the energy sector, the tools and techniques they employed could be used against many other industries, McAfee said.
Indeed, last year Google announced that it and dozens of other high-tech companies had been hacked by the Chinese – and that its source code had been a target. Such attacks appear to be part of a large, coordinated effort by some countries to target US proprietary data, experts say.
“Any country that wants to support and develop an indigenous industry may very well use cyberespionage to help do that,” Greg Garcia, assistant secretary for cybersecurity at the Department of Homeland Security under the Bush administration, told the Monitor last year.
The aim: theft of data and intellectual property
The McAfee report said these kinds of attacks focus more and more "not on using and abusing machines within the organizations being compromised, but rather on the theft of specific data and intellectual property.”
In the end, McAfee traced the command-and-control signals to computer servers owned by a single person in Heze City, Shandong Province, China. His company, according to its advertisements, provides ”Hosted Servers in the U.S. with no records kept” for just $10 a year for 100 MB of space. The company’s US-based leased servers were used to host the command-and-control software “that controlled machines across the victim companies,” the report said.
“Although we don’t believe this individual is the mastermind behind these attacks, it is likely this person is aware or has information that can help identify at least some of the individuals, groups, or organizations responsible for these intrusions,” McAfee said.
All of the data removal occurred as a result of commands coming “from Beijing-based IP addresses and operated inside the victim companies weekdays from 9:00 a.m. to 5:00 p.m. Beijing time,” the report said. That “suggests that the involved individuals were ‘company men’ working on a regular job, rather than freelance or unprofessional hackers.” Other experts agree.
“We’ve seen across many industries in recent months a very target type of attack,” Rob Lee, a computer forensics expert and director at Mandiant, a cybersecurity firm in Alexandria, Va., told the Monitor last year. “These are professionals [working in teams], not people doing this at night.”