Schwartz On Security: Unraveling Night Dragon Attacks
Attacks launched from China against oil and gas companies used simple hacking tools and even legitimate software.
Vendors as well as government agencies seeking funding love to trot out the "be afraid" mantra. This year's RSA conference is no exception, with Stuxnet now the cause célèbre.
Is there a dose of sabotage in your future? Perhaps, as apparently even the pro-WikiLeaks hacking collective Anonymous now has a copy of Stuxnet. That's according to a recent tweet by one self-described member of the collective known as Topiary.
More Security Insights
- The Untapped Potential of Mobile Apps for Commercial Customers
- Get Actionable Insight with Security Intelligence for Mainframe Environments
- The 451 Group Impact Report: Skybox Enters Vulnerability Management Space
- Securing Big Data: Securosis Recommendations for Hadoop and NoSQL Environments
So if you operate an Internet-connected nuclear centrifuge that runs Siemens Simatic WinCC SCADA systems software, working in conjunction with 33 or more frequency converter drives from specific vendors in Iran or Finland -- all of this being the only environment that Stuxnet targets -- watch out.
For everyone else, it's back-to-basics time, especially in the wake of last week's report from McAfee revealing that since November 2009 -- and possibly earlier -- "coordinated covert and targeted cyber attacks have been conducted against global oil, energy, and petrochemical companies."
The goal was apparently simple: to steal confidential and proprietary information, including project-financing details, relating to a number of oil and gas field projects.
While McAfee didn't reveal the targeted companies, it says the operation -- which it dubbed Night Dragon -- appeared to originate in China and to not involve anarchist talent, as attackers worked from 9 to 5, Beijing time. Or in the words of the report, it appears that "the involved individuals were 'company men' working on a regular job, rather than freelance or unprofessional hackers." Furthermore, McAfee says it traced at least one person that helped support the attacks -- by leasing Internet hosting to the attackers -- to Heze City, 360 miles from Beijing.
How did attackers break into oil and gas companies? Via the usual suspects: SQL injection attacks to compromise perimeter security, followed by social engineering and phishing attacks, exploiting known Windows and Active Directory vulnerabilities, as well as using customized remote administration tools (RATs) to connect directly with compromised computers.
"These methods and tools are relatively unsophisticated," says George Kurtz, worldwide CTO of McAfee, in a blog post. "The tools simply appear to be standard host administration techniques that utilize administrative credentials. This is largely why they are able to evade detection by standard security software and network policies."
In other words, unlike Stuxnet, or the Aurora attacks that targeted Google and other major technology companies about a year ago, attackers here used cheap tools and techniques to execute targeted attacks that apparently succeeded at procuring valuable information.
What's the takeaway from Night Dragon, for the energy sector or any other business? Simply this: When it comes to cybercriminals, it's business as normal. "The report reflects not so much a single piece of sophistication, in either attack methodology or malware. Instead it emphasizes the persistent and coordinated attacks of organized groups against specific organizations, with the goal of extracting sensitive data," says Fraser Howard, a principal virus researcher at SophosLabs, in a blog post.
As with so many attacks, criminals relied on known vulnerabilities and common attack vectors. "The truth is that this week is no different to last -- there is no new outbreak, vulnerability, or risk of infection," he says. "Instead, the attacks illustrate the background crimeware menace that all organizations face."
But if there's one immediate takeaway, he says, it's that more organizations should be using potentially unwanted application (PUA) and application control (AppC) detection technology to monitor for legitimate but unwanted software operating inside the network. "The one thing clear from the Night Dragon attacks is that the use of PUA and AppC detections should not be dismissed," says Fraser. "Using these types of technology to help manage what is allowed to run on your network can clearly provide a real security benefit."
In other words, don't be afraid. Simply be prepared.
Cutting-edge attacks like Stuxnet and Zeus will be the everyday exploits of the future. Here's what you need to know. That and more--including five best practices to improve the budgeting process for security spending--in the debut all-digital issue of Dark Reading. Download the issue now (free registration required).