Chinese Night Dragon Attack Hits Energy Companies

The world’s energy companies are under a concerted cyber-attack from China, dubbed Night Dragon, which is taking control of internal servers for industrial espionage, according to security firm McAfee.

The attacks, which started in November 2009, use social engineering, spearphishing attacks and Microsoft Windows operating system vulnerabilities, as well as remote administration tools (RATs), to harvest competitive information on issues such as oil and gas field bids and operations, according to a white paper released today by McAfee.

Oil companies are under attack

“McAfee has identified the tools, techniques and network activities used in these attacks, which continue on to this day,” said McAfee CTO George Kurtz in a blog post.

The attacks use “standard host administration techniques that utilize administrative credentials,” said Kurtz. “This is largely why they are able to evade detection by standard security software and network policies.”

However, McAfee has correlated the effects and reckons there is a concerted effort, and has updated signatures to look for Night Dragon. “We can now associate the various signatures that we have seen in these attacks to this particular event called Night Dragon,” said Kurtz.

Once one system has been compromised, the attackers use conventional administration tools, and RATs such as Gh0st and zwShell to exploit that machine, distribute Trojans, and download account hashes from which passwords can eventually be extracted with tools like Cain & Abel.

McAfee has confirmed five large companies which are victims of Night Dragon attacks, and estimates up to a dozen companies are affected – but is not free to name the victims.

Espionage, not cyber war

McAfee’s report describes espionage, rather than cyber-war, but lends weight to fears of concerted attacks, which have been expressed by the OECD, by Defence Minister Nick Harvey, and by the boss of the government snooping station GCHQ.

McAfee will talk more about the attack, at the RSA conference in San Francisco.