Chasing the Night Dragon in Big-Energy IT

Cybercrime has evolved into a professional activity, one example of which is a large-scale attack McAfee CTO George Kurtz has dubbed “Night Dragon” in a recent blog post.

The activity is described as a series of largely unsophisticated cyberattacks targeting energy companies and going back as far as four years.

The hackers appear to be based in China, McAfee claimed, citing the IP addresses from which the attacks were launched as well as tools and techniques used as evidence.

However, Mary Landesman, Cisco’s senior security researcher, told TechNewsWorld these attacks are not new and, in fact, have actually gone down somewhat over the past year.

The so-called Night Dragon attacks are pretty similar to the Gh0stNet attacks of 2009, according to Will Gragido, product manager at HP DVLabs. Also, it’s easy for hackers to hide their actual locations, he told TechNewsWorld.

“Source origination does not prove a thing when speaking purely of IP addresses that can be manipulated with ease to hide one’s presence or imply that one is in fact somewhere else,” Gragido elaborated.

McAfee did not respond to requests for comment by press time.

And the Dragon Comes in the Night

Covert cyberattacks were launched against several global oil, energy and petrochemical companies starting in 2009, McAfee claimed. The attackers targeted these companies’ proprietary operations and project financing information.

The attacks, McAfee said, involved a mix of hacking techniques including social engineering, spear-phishing, Windows exploits, compromising Microsoft Active Directory servers and the use of remote administration tools (RATS).

The tools that were used evaded detection by standard security software and network policies because they are standard host administration techniques, McAfee said.

Analysis showed the attacks have been going on for as many as four years, according to the security vendor.

The tools, techniques and network activities used in these attacks originate primarily in China, McAfee claimed. The tools are widely available on Chinese Web forums and tend to be used exclusively by Chinese hacker groups, according to the company.

Everything Old Is New Again

Throughout 2010, companies in the pharmaceutical, chemical, energy, and oil sectors were most at risk from Web malware, Cisco’s Q4 2010 global threat report stated.=

The Night Dragon attacks have been ongoing, and Cisco has been monitoring them since 2007, Landesman said.

However, there was actually a downturn in these attacks in 2010, Landesman said, and she believes this was due to a combination of “better awareness on the part of the energy and oil sector” and the hackers shifting to other targets, such as companies in the mining and agricultural industries.

Getting a Four-Year Free Ride

The hackers behind Night Dragon attacks managed to carry on their activities for up to four years because the target companies weren’t properly monitoring their networks for attacks, configuration changes or vulnerabilities, Eric Knight, senior knowledge engineer at LogRhythm, told TechNewsWorld.

“As companies grow, they often underestimate the value of their IT infrastructure,” Knight pointed out. “There is good reason to believe that the affected companies didn’t want to invest in their IT security because they didn’t realize the importance of many of these documents.”

Those documents increased in value as the companies grew, Knight said.

“Passive security measures are not sufficient,” Cisco’s Landesman stated. “Regular, routine, active monitoring of logs and ongoing forensics are key to ferreting out advanced persistent threats.”

Further, companies must have an information security plan that addresses the value of their own intellectual property and apply proper controls there, Knight suggested. They must also have proper monitoring of network usage.

Fear and Loathing Rule, OK

McAfee’s evidence — the location of IP addresses, and the tools and techniques used by the hackers — doesn’t definitively prove the hackers are based in China.

“Geographical location of command and control servers or malware domains does not necessarily reflect the country of origin for the attacks,” Cisco’s Landesman said. Through all the years Cisco has been monitoring threats to industries, it could not find a definitive link to any particular country, she added.

“I could be typing today right here outside of Chicago on one console and move to another that’s manipulating the state, posture and actions of a host halfway around the world, and you’d never be the wiser,” HP DVLabs’ Gragido pointed out.

Further, McAfee’s assertion that the times of the attacks coincided with working hours in Beijing is also not solid proof that the hackers were in fact Chinese. Automated routines can take care of the timing issue.

“If I have control of, say, 50 hosts in unique geolocations, and I have done enough work to establish with certainty the localized, accepted behavioral norms, who’s to say that I couldn’t or wouldn’t establish automated data jobs to harvest data working in collusion with individual activities?” Gragido asserted.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Cybersecurity

Technewsworld Channels