Security researchers at McAfee have sounded an alarm for what is described as "coordinated covert and targeted cyberattacks" against global oil, energy, and petrochemical companies.
McAfee said the attacks begain November 2009 and combined several techniques -- social engineering, spear phishing and vulnerability exploits -- to load custom RATs (remote administration tools) on hijacked machines.
The attacks, which McAfee tracked to China, allowed intruders to target and harvest sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations.
We have identified the tools, techniques, and network activities used in these continuing attacks—which we have dubbed Night Dragon—as originating primarily in China. Through coordinated analysis of the related events and tools used, McAfee has determined identifying features to assist companies with detection and investigation. While we believe many actors have participated in these attacks, we have been able to identify one individual who has provided the crucial C&C infrastructure to the attackers.
The company released a white paper to outline the attacks, which included the use of SQL injection and password cracking techniques.
A brief synopsis:
- Company extranet web servers compromised through SQL-injection techniques, allowing remote command execution.
- Commonly available hacker tools are uploaded on compromised web servers, allowing attackers to pivot into the company’s intranet and giving them access to sensitive desktops and servers internally.
- Using password cracking and pass-the-hash tools, attackers gain additional usernames and passwords, allowing them to obtain further authenticated access to sensitive internal desktops and servers.
- Initially using the company’s compromised web servers as command and control (C&C) servers, the attackers discovered that they needed only to disable Microsoft Internet Explorer (IE) proxy settings to allow direct communication from infected machines to the Internet.
- Using the RAT malware, they proceeded to connect to other machines (targeting executives) and exfiltrating email archives and other sensitive documents.
McAfee's researchers discovered that several locations in China leveraged C&C servers on purchased hosted services in the United States and compromised servers in the Netherlands to wage the attacks.
Targets included global oil, gas, and petrochemical companies, as well as individuals and executives in Kazakhstan, Taiwan, Greece, and the United States.