Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • IT Management
    • Networking

    McAfee: Night Dragon Cyber-Attack Unsophisticated but Effective

    By
    Brian Prince
    -
    February 10, 2011
    Share
    Facebook
    Twitter
    Linkedin

      It is no secret critical infrastructure companies are on the hit list of cyber-attackers. The latest entry on the list today comes courtesy of McAfee, whose researchers uncovered a campaign of coordinated, covert attacks targeting oil, energy and petrochemical companies that stretches back to November 2009.

      The attacks, which McAfee has collectively dubbed “Night Dragon” (PDF), are believed to emanate from China and relied on a mix of spear-phishing, social engineering, Windows bugs and remote administration tools (RATs) for success–none of which are particularly advanced, researchers said.

      “The attacks were not very sophisticated and did not use any zero-day exploits,” said Dmitri Alperovitch, vice president of threat research at McAfee Labs. “They were, however, very successful, and information that (has) been (exfiltrated) has enormous potential value to competitors.”

      That information, he said, includes financial documents related to oil and gas field exploration and bid negotiations, as well as operational details on oil and gas field production supervisory control and data acquisition (SCADA) systems.

      The attacks – which are still ongoing – span the globe, and have touched companies, individuals and executives in Kazakhstan, Taiwan, Greece and the United States. Circumstantial evidence found by McAfee points to attackers based in China. For example, McAfee said it identified an individual based in Heze City who provided crucial command and control (C&C) infrastructure to the attackers.

      “The individual runs a company that, according to the company’s advertisements, provides ‘Hosted Servers in the U.S. with no records kept’ for as little as 68 RMB (US$10) per year for 100 MB of space,” McAfee said in its report. “The company’s U.S.-based leased servers have been used to host the zwShell C&C application that controlled machines across the victim companies.”

      “Beyond the curious use of the “zw.china” password that unlocks the operation of the zwShell C&C Trojan, McAfee has determined that all of the identified data exfiltration activity occurred from Beijing-based IP addresses and operated inside the victim companies weekdays from 9:00 a.m. to 5:00 p.m. Beijing time, which also suggests that the involved individuals were “company men” working on a regular job, rather than freelance or unprofessional hackers,” according to the report. “In addition, the attackers employed hacking tools of Chinese origin and that are prevalent on Chinese underground hacking forums. These included Hookmsgina and WinlogonHack, tools that intercept Windows logon requests and hijack usernames and passwords.”

      To deploy their hacking tools, the attackers looked to compromise perimeter security through SQL injection attacks on extranet Web servers, targeted spear-phishing attacks aimed at mobile workers’ laptops and compromising corporate VPN accounts.

      “Once the initial system was compromised, the attackers compromised local administrator accounts and Active Directory administrator (and administrative users) accounts,” according to McAfee. “The attackers often used common Windows utilities, such as SysInternals tools (acquired by Microsoft in 2006) – and other publicly available software…to establish “backdoors” through reverse proxies and planted Trojans that allowed the attackers to bypass network and host security policies and settings. Desktop antivirus and anti-spyware tools were also disabled in some instances – a common technique of targeted attacks.”

      Using password racking and pass-the-hash tools, the attackers gained additional usernames and passwords. In addition, they used RAT malware to connect to other machines and swipe e-mail archives and documents belonging to executives.

      “What’s remarkable about the MO [modus operandi], is these are fairly standard techniques from Network Breach 101,” said Anup Ghosh, founder and chief scientist of Invincea. “Unfortunately this looks like another successful user-targeted attack through spear phishing from what appears to be nation-state actors who make it their day job to go after critical U.S. industry assets.”

      McAfee CTO George Kurtz blogged that it was possible the attack actually stretched back as far as four years.

      “Well-coordinated, targeted attacks such as Night Dragon, orchestrated by a growing group of malicious attackers committed to their targets, are rapidly on the rise,” he wrote. “These targets have now moved beyond the defense industrial base, government and military computers to include global corporate and commercial targets. More and more, these attacks focus not on using and abusing machines within the organizations being compromised, but rather on the theft of specific data and intellectual property.”

      Brian Prince

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×