Close 

Chinese hackers accused of cyber attacks on IOCs

Eric Watkins
OGJ Oil Diplomacy Editor

LOS ANGELES, Feb. 10 -- The computer networks of at least five international oil companies, containing bidding plans and other confidential data, have been penetrated by Chinese-based hackers, accord to a report issued by a US computer security firm.

“Starting in November 2009, covert cyber attacks were launched against several global oil, energy, and petrochemical companies,” said George Kurtz, chief technical officer of the Santa Clara, Calif.-based McAfee Inc.

“The attackers targeted proprietary operations and project-financing information on oil and gas field bids and operations,” said Kurtz, citing his firm’s report, entitled “Global Energy Cyber Attacks: Night Dragon.”

According to Kurtz, the information obtained by the Chinese hackers “is highly sensitive and can make or break multibillion dollar deals in this extremely competitive industry.”

A McAfee spokesperson told OGJ, “We are not releasing names of victims for confidentiality reasons. We know of the victims because we worked with many of them. Also, in our investigation we saw the documents that were being copied from these companies’ systems.”

The McAfee spokesperson told OGJ that, “We have confirmed that five global oil and gas companies were successfully penetrated by the attackers, but we believe that there may have been as many as a dozen.”

The spokesperson said, “We believe the attacks started in late 2009 but may have been going on as early as 2007. We see these attacks ongoing today.”

Kurtz said McAfee has identified the tools, techniques, and network activities used by the hackers.

“These attacks have involved an elaborate mix of hacking techniques including social engineering, spear-phishing, Windows exploits, Active Directory compromises, and the use of remote administration tools (RATs),” Kurtz said.

"We have identified the tools, techniques, and network activities used in these continuing attacks—which we have dubbed Night Dragon—as originating primarily in China," the McAfee report states.

It said that hacking tools "widely available on the Chinese underground" were used to break into a company's intranet and obtain access to sensitive desktops and servers.

"They proceeded to connect to other machines (targeting executives) and exfiltrating e-mail archives and other sensitive documents," the report said.

McAfee noted that “many actors” took part in the attacks, but it identified one individual in Heze City, Shandong Province, who provided the “crucial (command and control) infrastructure to the attackers.”

McAfee said, "Although we don't believe this individual is the mastermind behind these attacks, it is likely this person is aware or has information that can help identify at least some of the individuals, groups, or organizations responsible for these intrusions.”

McAfee said, "All of the identified data exfiltration activity occurred from Beijing-based IP addresses and operated inside the victim companies weekdays from 9:00 am to 5:00 pm Beijing time."

As a result, the firm concluded that “the involved individuals were 'company men' working on a regular job, rather than freelance or unprofessional hackers.”

McAfee acknowledged the possibility that “all of these indicators are an elaborate red-herring operation designed to pin the blame for the attacks on Chinese hackers.”

But it discounted that possibility as “highly unlikely” due to “strong evidence suggesting that the attackers were based in China."

In Beijing, a spokesman for China's ministry of foreign affairs said he was not aware of any information on alleged cyber attacks from China on US oil firms.

"I'm not aware of the information, but as for these types of reports, we see them quite often," said Ma Zhaoxu, a spokesman for the Ministry of Foreign Affairs, adding that he thinks “there is nothing new” in the McAfee report.

Contact Eric Watkins at hippalus@yahoo.com.


To access this Article, go to:
http://www.ogj.com/content/ogj/en/articles/2011/02/chinese-hackers-accused.html