In a detailed report, "Global Energy Cyberattacks: 'Night Dragon'" (PDF) McAfee researchers say the attacks were first detected in November 2009 and could involve "many actors." The security vendor estimates that the attacks could have been going on for as long as four years.
"Targeted and well-coordinated attacks such as Night Dragon, orchestrated by a growing group of malicious attackers committed to their targets, are growing rapidly," McAfee says in its report. "These targets have now advanced beyond the defense industrial base, military and government computers to include global corporate and commercial targets."
The energy sector has long been the target of cyber-espionage. Last year McAfee and the Center for Strategic and International Studies (CSIS) released a report highlighting serious flaws in computer security at critical infrastructure facilities, including oil refineries and chemical and power plants. The report included the result of a survey of 600 security and IT executives from critical infrastructure companies. The oil and gas sectors reported the highest rates of silent infiltrations (71%), against 54% of the overall respondents, with more than a third reporting multiple infiltrations each month. The oil and gas industry also had the highest rates of extortion.
In its Night Dragon report, McAfee says it has identified an individual who provided the command and control (C&C) infrastructure for the attackers. Originating from different locations in China, the attackers used command and control servers located in U.S. hosting services as well as compromised servers in the Netherlands to commit their attacks.
In addition to the companies, the attackers also targeted "individuals and executives from Kzajistan, Taiwan, Greece and the U.S. to seize private and highly confidential information," McAfee said.
McAfee says the methods of the attacks were relatively unsophisticated and appear to be "standard management techniques, using standard administrative credentials." Using automated tools, the attackers first used SQL injection attacks to compromise the web servers of the power firms. From there, the hackers gained access to the firms' intranet where they used software to break passwords to bypass authentication installed on sensitive desktops and servers, McAfee said.
"This is why they are primarily able to evade detection from standard security software and network policies," McAfee says. "Using the malware [remote administration tool], they proceeded to connect to other machines (the white executives) and infiltrate email files and other sensitive documents," McAfee says. The target was mobile worker laptops to compromise corporate VPN accounts.
McAfee released a Night Dragon vulnerability detection tool to check if systems are vulnerable to the types of methods used by attackers.
"Files of interest focused on oil and gas field operating systems, and financial documents related to field exploration and bidding were then copied from the compromised equipment or via extranet servers," McAfee said. "In some cases, the files were copied and downloaded by the attackers from the web servers. In certain cases, the attackers collected information from SCADA systems."
Translation: Raul Batista - Segu-Info
Source: SearchSecurity.com
