Hacking attacks from China hit energy companies worldwide

Hacking attacks from China hit energy companies worldwide

Summary: Security researchers at McAfee have sounded an alarm for what is described as "coordinated covert and targeted cyberattacks" against global oil, energy, and petrochemical companies.

SHARE:
TOPICS: Security
29

Security researchers at McAfee have sounded an alarm for what is described as "coordinated covert and targeted cyberattacks" against global oil, energy, and petrochemical companies.

McAfee said the attacks begain November 2009 and combined several techniques -- social engineering, spear phishing and vulnerability exploits -- to load custom RATs (remote administration tools) on hijacked machines.follow Ryan Naraine on twitter

The attacks, which McAfee tracked to China, allowed intruders to target and harvest sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations.

We have identified the tools, techniques, and network activities used in these continuing attacks—which we have dubbed Night Dragon—as originating primarily in China. Through coordinated analysis of the related events and tools used, McAfee has determined identifying features to assist companies with detection and investigation. While we believe many actors have participated in these attacks, we have been able to identify one individual who has provided the crucial C&C infrastructure to the attackers.

The company released a white paper to outline the attacks, which included the use of SQL injection and password cracking techniques.

A brief synopsis:

  • Company extranet web servers compromised through SQL-injection techniques, allowing remote command execution.
  • Commonly available hacker tools are uploaded on compromised web servers, allowing attackers to pivot into the company’s intranet and giving them access to sensitive desktops and servers internally.
  • Using password cracking and pass-the-hash tools, attackers gain additional usernames and passwords, allowing them to obtain further authenticated access to sensitive internal desktops and servers.
  • Initially using the company’s compromised web servers as command and control (C&C) servers, the attackers discovered that they needed only to disable Microsoft Internet Explorer (IE) proxy settings to allow direct communication from infected machines to the Internet.
  • Using the RAT malware, they proceeded to connect to other machines (targeting executives) and exfiltrating email archives and other sensitive documents.

McAfee's researchers discovered that several locations in China leveraged C&C servers on purchased hosted services in the United States and compromised servers in the Netherlands to wage the attacks.

Targets included global oil, gas, and petrochemical companies, as well as individuals and executives in Kazakhstan, Taiwan, Greece, and the United States.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

29 comments
Log in or register to join the discussion
  • Just curious, were the Extranet web servers Windows or Linux

    Those at least, could be identified.
    DevGuy_z
    • RE: Hacking attacks from China hit energy companies worldwide

      @DevGuy_z ...<br><br>The web server's OS is beside the point, as SQL injections were used to compromise the servers. Windows vs Linux isn't even applicable. Should be asking why the person in charge of said web servers didn't take proper steps to prevent SQL injections, such as validating queries before sending them.
      WarhavenSC
      • RE: Hacking attacks from China hit energy companies worldwide

        @WarhavenSC

        http://xkcd.com/327/
        erik.soderquist
  • &quot;And what will happen to China?&quot;

    You may ask... nothing. This isn't the first time nor the last time they've been caught with their hand in the cookie jar. US debt is so beholden to China, we [i]can't[/i] do anything.
    WarhavenSC
    • RE: Hacking attacks from China hit energy companies worldwide

      @WarhavenSC Actually, the portion of US debt that's chinese is not as large as domestic ownership. China is the largest foreign debt-holder, but domestic debt holders (Banks, investors, individuals, the fed) hold more US-government bonds than the combined foreign debt.
      snoop0x7b
      • So?

        @snoop0x7b : Just because a greater proportion of debt is held domestically doesn't mean we wouldn't be in a World of Hurt if China suddenly decided to call in the markers because we ticked them off. Currently they hold about $900 Billion of our debt. If they called them in, where do you think we would come up with that on short notice? That's $2900 for every man, woman and child in this country.

        Pony up, dude. I certainly can't.
        Zorched
      • Zorched, the US invests heavily overseas, too

        It's kind of a wash: China calls in our debt, we call in someone else's, they call in someone else's who in turn calls in China's.
        AllKnowingAllSeeing
      • RE: Hacking attacks from China hit energy companies worldwide

        Zorched: The US government issues little on-demand debt (savings bonds being one exception). If China "decided to call in the markers" they'd have to sell the debt on the open market, for whatever the debt it worth at the time. We are a hostage of the Chinese.
        bkshort@...
  • RE: Hacking attacks from China hit energy companies worldwide

    I am confused here.....Why in the name of dog would any corporation have their extranet servers loaded with private information that once compromised would allow an enemy to "harvest sensitive competitive proprietary operations and project-financing information"? Even worse, Why would these corporations have their extranet connected to their intranet? It is simple planning to merely separate the two nets physically so that it is impossible to ever reach an executive's personal computer from outside. The stupidity here is enormous and close to unbelievable!
    rovolet
    • RE: Hacking attacks from China hit energy companies worldwide

      @rovolet the answer to your question is simple, the network administration and planning (and prety much everything else) is outsourced to China so everything is arranged in such a way that it can be reached remotely.
      pupkin_z
    • RE: Hacking attacks from China hit energy companies worldwide

      @rovolet

      it is probably more complicated than the diagram shown here... such as an SQL database whose data must be accessible from both sides, from the outside for customer orders, orders status checks, etc., from the inside to update and fulfill those records... that SQL server then at some point must have a connection to both internal and external servers...

      however, there are other aspects i find much more troublesome, such as simply disabling the IE proxy settings allowing direct internet access. if you are going to go to the trouble of setting up a proxy for logging and security purposes, you also block (at minimum) outbound access from everything that is supposed to route through the proxy, if not kill the route altogether and make the proxy multi-homed. i know my office segments are not routed to the internet at all, so to get back out, it is either back through the proxy, or compromising a router somewhere on the network to add the outbound route back in
      erik.soderquist
    • RE: Hacking attacks from China hit energy companies worldwide

      @rovolet
      I'm tempted to ask if you noticed there was an oil spill last year.
      JimboNobody
  • RE: Hacking attacks from China hit energy companies worldwide

    They hit individuals in Kazakhstan?! BORAT, THEY HACKED YOUR iPOD!
    jmwells21
  • This seems more like a cover up for something else.

    <a href="http://www.abovetopsecret.com/forum/thread659647/pg1" target="_blank" rel="nofollow">http://www.abovetopsecret.com/forum/thread659647/pg1</a>
    covert IT
  • RE: Hacking attacks from China hit energy companies worldwide

    That's funny.... I've always thought that the drilling software was not designed with security in mind (I used to work on oil rigs). Pason, etc. are going to have to be thinking about security now.
    snoop0x7b
  • Not really...

    ...this is the US forging packets to only appear that it is coming from China to create fear and loathing within the mindless masses of this country. Or something to that effect.
    james347
    • RE: Hacking attacks from China hit energy companies worldwide

      @james347

      hell of a forgery mission then... to the extent that it would have been much easier to hire a team to go to China and do the hack from there so the trace logs in various countries don't have to be faked... possibly cheaper too, and better plausible deniability, especially if said team meets 'unfortunate accidents' shortly after doing the hack

      :P
      erik.soderquist
    • RE: Hacking attacks from China hit energy companies worldwide

      @james347
      Or maybe the Chinese came to the US and forged packets that looked like they came from China so they could convince conspiracy theorists that there really is a conspiracy.
      JimboNobody
  • RE: Hacking attacks from China hit energy companies worldwide

    @pupkin_z

    Excellent point!!! As more and more corporations seem to outsource their IT groups to foreign countries as the be-all-end-all cost saving measure. I guess that when they were counting their profits they failed to look at the big picture.
    rlo19
  • RE: Hacking attacks from China hit energy companies worldwide

    AND::::: All of this information is totally valid, even if it is easy to get at.
    Sometimes I wonder about you.
    trm1945