'Night Dragon' attacks from China strike energy companies

McAfee said the intrusions targeted intellectual property and have been going on for as long as four years

Chinese hackers working regular business hours shifts stole sensitive intellectual property from energy companies for as long as four years using relatively unsophisticated intrusion methods in an operation dubbed "Night Dragon," according to a new report from security vendor McAfee.

The oil, gas and petrochemical companies targeted were hit with technical attacks on their public-facing Web sites, said Greg Day , director of security strategy. The hackers also used persuasive social-engineering techniques to get key executives in Kazakhstan, Taiwan, Greece, and the U.S. to divulge information.

[ Further reading: Night Dragon brings security vulnerabilities into the boardroom ]

The attacks have been linked to China due to the use of Chinese hacking tools commonly seen on underground hacking forums. Further, the attacks appeared to originate from computers on IP (Internet protocol) addresses in Beijing, between 9 a.m. to 5 p.m. local time there, suggesting that the culprits were regular company employees rather than freelance or unprofessional hackers, McAfee said in its report.

Although McAfee said a group of hackers likely executed the attacks, it had pinpointed "one individual" located in Heze City in Shandong Province "who has provided the crucial C&C infrastructure to the attackers."

"It is likely this person is aware or has information that can help identify at least some of the individuals, groups, or organizations responsible for these intrusions," McAfee said. Day said it is routine for McAfee to notify law enforcement in such instances.

McAfee's report is just the latest to underscore the continuing efforts of hackers to steal sensitive corporate information. In late 2009, Google said it had seen attacks believed to come from China, which targeted dozens of other multinational companies, called "Operation Aurora."

McAfee did not publicly identify the companies attacked, but Day said some employed McAfee's professional services consultants.

Writing on a company blog, McAfee's CTO George Kurtz said the attackers used "an elaborate mix of hacking techniques" but methods and tools that were "relatively unsophisticated."

But while seemingly downplaying the hackers' methods, McAfee admitted that it had only recently been able to detect the broad pattern.

"Only through recent analysis and the discovery of common artifacts and evidence correlation have we been able to determine that a dedicated effort has been ongoing for at least two years, and likely as many as four," the report said.

Day said that despite penetration testing designed to ensure a company's IT systems are secure, the breadth and complexity of corporate computer systems has made it increasingly difficult to link malicious actions together.

"I don’t want to say it’s the thing right under the nose that you miss but it's the very reality that things get through due to the depth and scope of the world we have to deal with today," Day said. "We keep seeing all kinds of infiltration because of that challenge."

The attacks often focused on the companies' public-facing Web sites, which were attacked using methods such as SQL injection, where hackers try to get backend databases to reply to commands that should be blocked. SQL injection attacks can often return sensitive information or allow for different kinds of attacks.

Once a web server had been compromised, the attackers would then upload programs such as remote administration tools (RATs). Those tools are often used by system administrators to fix computers from afar, as they allow complete access to a machine and let administrators see the system as if they were sitting right in front of it.

From there, the hackers would browse around other areas such as Active Directory, a Microsoft system used to provision network access to employees on corporate networks. They used password-cracking tools to get privileged access to other services on the network containing sensitive information such as market intelligence reports and information on operational production systems, Day said.

Send news tips and comments to jeremy_kirk@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionmcafeesecuritydata breachExploits / vulnerabilitiesmalware

More about etworkGoogleMcAfee AustraliaMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts