China syndromeHackers steal data from oil giants worth millions

McAfee Inc. recently announced that hackers have stolen sensitive data worth millions from five major multinational oil and gas companies.

In the attacks, dubbed “Night Dragon,” hackers stole company secrets like bidding contracts, oil exploration data, proprietary industrial processes, and sensitive financial documents.

Dmitri Alperovitch, vice president for threat research at McAfee, said, “It speaks to quite a sad state of our critical infrastructure security,” because “these were not sophisticated attacks, yet they were very successful in achieving their goals.”

In its report on the incidences, McAfee analysts determined that hackers initially began infiltrating company networks in November 2009 using relatively simplistic methods and diligently worked their way to sensitive documents in several stages.

Hackers first gained access to servers or computers by compromising a public website’s server or sending infected e-mails to company executives. Once inside, hackers loaded malicious code to gain further access to internal networks.

Cracking tools were then used to gather usernames and passwords to delve even deeper into company data. Once firmly ensconced, the hackers disabled network settings to remotely access machines on corporate networks and steal sensitive documents.

According to McAfee the information that the cyber thieves took was “tremendously sensitive and would be worth a huge amount of money to competitors.”

The Night Dragon attacks share similarities to the Stuxnet virus and the 2009 Operation Aurora attacks on Google in China in that they were highly targeted and sought to achieve specific outcomes. Most cyber attacks and viruses are meant to generate general chaos and infect computers at random.

Alperovitch is careful to note that there is no clear evidence to suggest that the attacks were “government sponsored in any way.”

Circumstantial evidence suggests that the attacks emanated from China. McAfee traced one of the hacks to a server leasing company in Shandong Province in China which hosted one of the pieces of malware. McAfee also found that some of the attacks were perpetrated using IP addresses in Beijing from the hours of 9 a.m. and 5 p.m.

Cyber attacks are notoriously difficult to attribute and according to Greg Day, director of security strategy at McAfee, these clues could be misdirection.

“The attackers did not seem to be at all careful in covering their trail.” Day said. “Was that just they were not that skilled or were they trying to leave a bread crumb trail to paint a false picture?”

In the past China has been linked to attacks like this including Operation Aurora in 2009, where Chinese hackers infiltrated Google’s networks to steal information on human rights activists in China.

According to Jim Lewis, a cyber security expert at the Center for Strategic and International Studies, these types of attacks are “normal business practice in China.”

“It’s not always state sponsored. And they do it to each other,” he said.

In response to the attacks, Ma Zhaoxu, a spokesman for China’s Foreign Ministry, claimed that China had no knowledge that the attacks had even occurred.

He said, “I really have no grasp of this situation, but we frequently hear about these types of reports.”