Cyber espionage hit the headlines last week with reports of a series of hacker attacks—dubbed Night Dragon—aimed at major energy companies. The sophistication level of the attacks is significantly lower than that of the notorious Stuxnet worm that was found infecting control system networks last year, experts say. But the Night Dragon attacks, believed to be largely the work of Chinese hackers, have nonetheless been successful in achieving their apparent objective—that of intellectual property theft from global oil and gas, energy and petrochemical companies.
Night Dragon sends another sobering message to the critical infrastructure community, say experts interviewed by Automation World. “I think the lesson to take away is that these people used comparatively low-tech methods to achieve their ends, and the target of their attack was susceptible to those low-tech attacks,” says Andrew Ginter, chief technology officer at Abterra Technologies Inc. (www.abterra.ca), Calgary, Alberta, Canada, industrial control-system security firm.
Word of Night Dragon broke on Feb. 10, with a report released by McAfee Inc. (www.mcafee.com), the Santa Clara, Calif., anti-virus company that named the attacks. The hackers used relatively common tools and techniques to launch the attacks, which are still ongoing, McAfee says.
“Starting in November 2009, coordinated covert and targeted cyberattacks have been conducted against global oil, energy and petrochemical companies,” says the McAfee report. “These attacks have involved social engineering, spearphishing attacks, exploitation of Microsoft Windows operating systems vulnerabilities, Microsoft Active Directory compromises, and the use of remote administration tools (RATs) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations.”
The report provides a detailed description of the tools, techniques and network activities used in the attacks, in what McAfee calls “methodical and progressive intrusions into the targeted infrastructure.” Once the hackers gained control of targeted systems, “files of interest were copied from compromised hosts or via extranet servers. In some cases, the files were copied to and downloaded from company Web servers by the attackers,” says McAfee. “In certain cases, the attackers collected data from SCADA (supervisory control and data acquisition) systems,” the report adds.
McAfee says it has strong evidence suggesting that the Night Dragon attackers are based in China. Citing “circumstantial evidence,” the report even says that McAfee investigators have identified one individual located in Heze City, Shandong Province, China, whom it believes has provided crucial C&C (command and control) infrastructure to the attackers. Many of the hacking tools used in the attack are of Chinese origin, and are prevalent on Chinese underground hacking forums, McAfee says.
In addition, the report notes that “all of the identified exfiltration activity occurred from Beijing-based IP (Internet protocol) addresses and operated inside the victim companies weekdays from 9:00 a.m. to 5:00 p.m. Beijing time.” This suggests that “the involved individuals were ‘company men’ working on a regular job, rather than freelance or unprofessional hackers,” the report adds.
At Byres Security Inc. (www.tofinosecurity.com), a Lanzville, British Columbia, Canada-based industrial control-system security firm, Chief Technology Officer Eric Byres says that reports of the Night Dragon attacks do not surprise him. “I’ve certainly worked with clients who’ve had significant intellectual property stolen from their processes,” he tells Automation World. The Night Dragon attacks appear to be an example of what the cyber-security community calls “advanced persistent threats (APTs),” Byres observes. “Not noisy, just quiet and stealthy and targeted, and definitely looking at very specific victims.”
Abterra’s Ginter agrees. The 9-to-5 nature of the attacks suggests that “these are people who come in, hack for a living, and go home at five o’clock to their families,” Ginter says. “These are not out-for-glory hackers who might hack you and then go do something else, depending on how the mood strikes them. These are professionals who have been given an objective, and they’re going to achieve that objective, and this is what they’re going to do until they’re given another objective.”
Beyond their lower sophistication level, the Night Dragon attacks differ in other ways from the Stuxnet infiltrations discovered last year. Stuxnet was aimed directly at control systems, and is believed by some experts to have been designed for sabotage of Iranian uranium enrichment programs. Night Dragon, by contrast, is aimed largely at exploiting higher-level information technology (IT) systems and servers for the purpose of stealing information.
But Ginter notes that many of the remote desktop tools and methods used by Night Dragon attackers to commandeer higher-level systems could just as easily be used on control systems. “Don’t be complacent because they were after intelligence,” he warns. “The same techniques could be used to take over an operator control console.”
The McAfee report notes that investigations have identified various artifacts of the Night Dragon attacks that can be used to determine whether a company has been compromised. And it makes a number of recommendations on steps that companies can take to protect themselves against Night Dragon attacks, including, not surprisingly, the use of various McAfee products.
Among other things, the McAfee report says, “For complete prevention of this and most other attacks involving advanced persistent threats (APTs), customers can deploy application whitelisting and change/configuration control software on their critical servers.” Whitelisting was one of two emerging control-system security technologies discussed in detail in an October 2010 Automation World feature, “Defending Against the Next Stuxnet.”
“Pretty much anything that would have prevented Stuxnet would have been useful here—whitelisting, tighter firewall rules, better accounts, better passwords,” says Ginter. And Eric Byres, at Byres Security, reiterates the control-system cyber-security mantra that the elimination of poor security practices, as well as implementation of well-defined “defense-in-depth” strategies, is always the best way to go.