McAfee: Night Dragon Cyber-Attack Unsophisticated but Effective

Researchers say "Night Dragon" was effective at targeting critical infrastructure companies but was not very sophisticated in its methods.

It is no secret critical infrastructure companies are on the hit list of cyber-attackers. The latest entry on the list today comes courtesy of McAfee, whose researchers uncovered a campaign of coordinated, covert attacks targeting oil, energy and petrochemical companies that stretches back to November 2009.

The attacks, which McAfee has collectively dubbed "Night Dragon" (PDF), are believed to emanate from China and relied on a mix of spear-phishing, social engineering, Windows bugs and remote administration tools (RATs) for success--none of which are particularly advanced, researchers said.

"The attacks were not very sophisticated and did not use any zero-day exploits," said Dmitri Alperovitch, vice president of threat research at McAfee Labs. "They were, however, very successful, and information that (has) been (exfiltrated) has enormous potential value to competitors."

That information, he said, includes financial documents related to oil and gas field exploration and bid negotiations, as well as operational details on oil and gas field production supervisory control and data acquisition (SCADA) systems.

The attacks - which are still ongoing - span the globe, and have touched companies, individuals and executives in Kazakhstan, Taiwan, Greece and the United States. Circumstantial evidence found by McAfee points to attackers based in China. For example, McAfee said it identified an individual based in Heze City who provided crucial command and control (C&C) infrastructure to the attackers.

"The individual runs a company that, according to the company's advertisements, provides 'Hosted Servers in the U.S. with no records kept' for as little as 68 RMB (US$10) per year for 100 MB of space," McAfee said in its report. "The company's U.S.-based leased servers have been used to host the zwShell C&C application that controlled machines across the victim companies."

"Beyond the curious use of the "zw.china" password that unlocks the operation of the zwShell C&C Trojan, McAfee has determined that all of the identified data exfiltration activity occurred from Beijing-based IP addresses and operated inside the victim companies weekdays from 9:00 a.m. to 5:00 p.m. Beijing time, which also suggests that the involved individuals were "company men" working on a regular job, rather than freelance or unprofessional hackers," according to the report. "In addition, the attackers employed hacking tools of Chinese origin and that are prevalent on Chinese underground hacking forums. These included Hookmsgina and WinlogonHack, tools that intercept Windows logon requests and hijack usernames and passwords."

To deploy their hacking tools, the attackers looked to compromise perimeter security through SQL injection attacks on extranet Web servers, targeted spear-phishing attacks aimed at mobile workers' laptops and compromising corporate VPN accounts.

"Once the initial system was compromised, the attackers compromised local administrator accounts and Active Directory administrator (and administrative users) accounts," according to McAfee. "The attackers often used common Windows utilities, such as SysInternals tools (acquired by Microsoft in 2006) - and other publicly available establish "backdoors" through reverse proxies and planted Trojans that allowed the attackers to bypass network and host security policies and settings. Desktop antivirus and anti-spyware tools were also disabled in some instances - a common technique of targeted attacks."

Using password racking and pass-the-hash tools, the attackers gained additional usernames and passwords. In addition, they used RAT malware to connect to other machines and swipe e-mail archives and documents belonging to executives.

"What's remarkable about the MO [modus operandi], is these are fairly standard techniques from Network Breach 101," said Anup Ghosh, founder and chief scientist of Invincea. "Unfortunately this looks like another successful user-targeted attack through spear phishing from what appears to be nation-state actors who make it their day job to go after critical U.S. industry assets."

McAfee CTO George Kurtz blogged that it was possible the attack actually stretched back as far as four years.

"Well-coordinated, targeted attacks such as Night Dragon, orchestrated by a growing group of malicious attackers committed to their targets, are rapidly on the rise," he wrote. "These targets have now moved beyond the defense industrial base, government and military computers to include global corporate and commercial targets. More and more, these attacks focus not on using and abusing machines within the organizations being compromised, but rather on the theft of specific data and intellectual property."