Attacks launched from China against oil and gas companies used simple hacking tools and even legitimate software.

Mathew J. Schwartz, Contributor

February 16, 2011

4 Min Read

Vendors as well as government agencies seeking funding love to trot out the "be afraid" mantra. This year's RSA conference is no exception, with Stuxnet now the cause célèbre.

Is there a dose of sabotage in your future? Perhaps, as apparently even the pro-WikiLeaks hacking collective Anonymous now has a copy of Stuxnet. That's according to a recent tweet by one self-described member of the collective known as Topiary.

So if you operate an Internet-connected nuclear centrifuge that runs Siemens Simatic WinCC SCADA systems software, working in conjunction with 33 or more frequency converter drives from specific vendors in Iran or Finland -- all of this being the only environment that Stuxnet targets -- watch out.

For everyone else, it's back-to-basics time, especially in the wake of last week's report from McAfee revealing that since November 2009 -- and possibly earlier -- "coordinated covert and targeted cyber attacks have been conducted against global oil, energy, and petrochemical companies."

The goal was apparently simple: to steal confidential and proprietary information, including project-financing details, relating to a number of oil and gas field projects.

While McAfee didn't reveal the targeted companies, it says the operation -- which it dubbed Night Dragon -- appeared to originate in China and to not involve anarchist talent, as attackers worked from 9 to 5, Beijing time. Or in the words of the report, it appears that "the involved individuals were 'company men' working on a regular job, rather than freelance or unprofessional hackers." Furthermore, McAfee says it traced at least one person that helped support the attacks -- by leasing Internet hosting to the attackers -- to Heze City, 360 miles from Beijing.

How did attackers break into oil and gas companies? Via the usual suspects: SQL injection attacks to compromise perimeter security, followed by social engineering and phishing attacks, exploiting known Windows and Active Directory vulnerabilities, as well as using customized remote administration tools (RATs) to connect directly with compromised computers.

"These methods and tools are relatively unsophisticated," says George Kurtz, worldwide CTO of McAfee, in a blog post. "The tools simply appear to be standard host administration techniques that utilize administrative credentials. This is largely why they are able to evade detection by standard security software and network policies."

In other words, unlike Stuxnet, or the Aurora attacks that targeted Google and other major technology companies about a year ago, attackers here used cheap tools and techniques to execute targeted attacks that apparently succeeded at procuring valuable information.

What's the takeaway from Night Dragon, for the energy sector or any other business? Simply this: When it comes to cybercriminals, it's business as normal. "The report reflects not so much a single piece of sophistication, in either attack methodology or malware. Instead it emphasizes the persistent and coordinated attacks of organized groups against specific organizations, with the goal of extracting sensitive data," says Fraser Howard, a principal virus researcher at SophosLabs, in a blog post.

As with so many attacks, criminals relied on known vulnerabilities and common attack vectors. "The truth is that this week is no different to last -- there is no new outbreak, vulnerability, or risk of infection," he says. "Instead, the attacks illustrate the background crimeware menace that all organizations face."

But if there's one immediate takeaway, he says, it's that more organizations should be using potentially unwanted application (PUA) and application control (AppC) detection technology to monitor for legitimate but unwanted software operating inside the network. "The one thing clear from the Night Dragon attacks is that the use of PUA and AppC detections should not be dismissed," says Fraser. "Using these types of technology to help manage what is allowed to run on your network can clearly provide a real security benefit."

In other words, don't be afraid. Simply be prepared.

SEE ALSO:

Schwartz On Security: The Right To Social Networks

Schwartz On Security: Slouching Toward Smartphone, Apple Armageddon

Schwartz on Security: Bling Botnets Sell Gangster Lifestyle

Schwartz On Security: Hack My Ride

Schwartz On Security: First, Know You've Been Breached

Schwartz On Security: Don't Get Hacked For the Holidays

Schwartz On Security: WikiLeaks Highlights Cost Of Security

See all stories by Mathew J. Schwartz

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights