“Night Dragon” — The New ‘More of the Same’?

February 27, 2011

“Night Dragon” — The New ‘More of the Same’?

A Wall Street Journal story reported earlier this month that attackers from China have been conducting sustained, coordinated, covert intellectual property and sensitive financial information thefts against energy corporations, in some cases for years.  They relayed that these “cyberattacks successfully took gigabytes of highly sensitive internal documents.”

The WSJ piece includes a “cyber warfare” spin on this activity.  Exploring Google Trends, and informal monitoring of the security and technical press suggests that hyping issues with references to “Cyber warfare” or “Cyber war” has been on the rise in some channels.  There seem to be many motivations for that hype.  In financial services, it is more productive to focus on the specific families of Internet-enabled criminal activity that are targeting global business (financial services, in my case), than to link communications about that activity with the broader, multi-purpose, “cyber warfare” moniker.

McAfee named these attacks “Night Dragon” in a recently-published report.

McAfee announced that they have “identified a string of attacks designed to steal sensitive data from targeted organizations” by perpetrators that “appear to be sophisticated, highly organized, and motivated in their pursuits.”  McAfee emphasized that these were not opportunists, preying on some shared industry weakness…  They say that the attacks could have been running for the last four years, but started no later than November 2009 and that individual company losses were in the many millions of dollars. (pages 3 & 7)

In that report they argued that these attacks were part of a broader trend where “adversaries are rapidly leveraging productized malware toolkits that let them develop more malware than in all prior years combined, and they have matured from the prior decade to release the most insidious and persistent cyberthreats ever known.” (page 3)

McAfee outlined the stages of “Night Dragon” attacks as:

  • Compromised extranet webservers via SQL injection and remote command execution, as well as targeted spear-phishing.
  • Uploaded hacker tools to these more “trusted” servers to attack each company’s intranet, desktops, and servers.
  • Gained access to sensitive non-public information from internal desktops and servers.
  • Accessed additional usernames and passwords to broaden their access to sensitive information.
  • Used compromised perimeter web servers as command and control platforms for the company-internal desktops and servers.  They later enabled direct communication from infected internal machines to external comand and control infrastructure on the Internet.
  • Used remote administration tools to explore other internal hosts, targeting executives.
  • Exfiltrated gigabytes of email archives and other sensitive documents from executive’s compromised computers.
    (page 4)

McAfee points out that in global corporations, the attacker’s hunt for internal points of “weakness” is also global.  In this case, “Night Dragon” attackers persisted until finding a critical mass of their targeted information.  Proprietary and highly confidential information was stolen from individuals and executives in Kazakhstan, Taiwan, Greece, as well as the United States. (page 4)

McAfee concludes that “While Night Dragon attacks focused specifically on the energy sector, the tools and techniques of this kind can be highly successful when targeting any industry.”  Those of us in financial services should not assume that these attackers only care about oil…

The report is a good read, and if you have not had the opportunity to review it, you should.

The report also spurred some interesting follow-on reporting:

McAfee said that the Night-Dragon attackers stole proprietary information from the networks of Exxon Mobil Corp., Royal Dutch Shell Plc and BP Plc.  Michael Riley wrote for Bloomberg that sources told him Marathon Oil, ConocoPhillips and Baker Hughes were successfully targeted as well.  He highlighted opinions supporting the notion that the Chinese government is involved in this activity as part of their efforts to support a “massive economic leap forward.”  He went on to argue that “The thefts might trigger legal liability for companies that chose not to disclose them to investors.”  In the United States, investors expect that “material” corporate facts will be disclosed in a timely manner.  They also expect that corporations will implement adequate technology and procedures to protect their “crown jewels.”

Phil Muncaster outlined the McAfee report for V3, restating that “The attacks used methodical but far from sophisticated hacking techniques, including SQL injection, password hacking and remote access Trojans.”  He advised that “Companies suspecting that they may have been targeted are urged to look through anti-virus and network traffic logs” — the McAfee report offers some assistance concerning what to look for.  Unless your infrastructure is designed to retain, maybe even normalize, these logs, a multi-year historical investigation of host and network activity might not be a practical matter…

Fraser Howard of SophosLabs, highlighted that the McAfee report “emphasizes the persistent and coordinated attacks of organized groups against specific organizations, with the goal of extracting sensitive data.”  He argues that risk management professional, as well as all corporate leaders need to understand that “Night Dragon” was not special, rather that it is only an illustration of the Internet-enabled criminal menace that all organizations face today.

Fraser Howard’s argument about the new normal might be the most important message we can take from the McAfee report.  What do you think?

– References –

“Oil Firms Hit by Hackers From China, Report Says.” By Nathan Hodge & Adam Entous, 02-10-2011
http://online.wsj.com/article/SB10001424052748703716904576134661111518864.html?mod=WSJ_WSJ_US_News_5

“Global Energy Cyberattacks: ‘Night Dragon'” By McAfee® Foundstone® Professional Services and McAfee Labs™, February 10, 2011.
http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf And “Night Dragon.” http://www.mcafee.com/mx/about/night-dragon.aspx

“Exxon, Shell, BP Said to Have Been Hacked Through Chinese Internet Servers.” By Michael Riley – Feb 24, 2011
http://www.bloomberg.com/news/2011-02-24/exxon-shell-bp-said-to-have-been-hacked-through-chinese-internet-servers.html

“Hackers Breach Tech Systems of Oil Companies.” By John Markoff, 02-10-2011.
http://www.nytimes.com/2011/02/10/business/global/10hack.html?_r=2&hp

“Night Dragon hackers targeted Shell, BP and Exxon — IT security at global petrochemical firms called into question.” By Phil Muncaster, 02-24-2011
http://www.v3.co.uk/v3/news/2274971/shell-bp-exxon-mobil

“Night Dragon attacks: myth or reality?” by Fraser Howard, 02-11-2011
http://nakedsecurity.sophos.com/2011/02/11/night-dragon-attacks-myth-or-reality/

“Schwartz On Security: Unraveling Night Dragon Attacks.” By Mathew J. Schwartz, 02-17-2011.
http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=229218811&cid=RSSfeed_IWK_All

Google Trends.
http://www.google.com/trends?q=cyber+warfare&ctab=0&geo=all&date=all&sort=0
According to a Google Trends search performed on Feb 27, 2011, material amounts of searches for “cyber warfare” began mid-2009.  There had been a small amount of noise in the news starting in 2001.  Pakistan generated more than twice the number of searches for “cyber warfare” than any of Singapore, India, or the United States, the next three highest, in that order.  That said, Washington, DC, USA, is the city that has generated the largest number of searches for “cyber warfare.”
Google searches and news references to “cyber war” follow a curve similar to that of “cyber warfare,” except that Pakistan no longer leads in searches, Singapore taking over that spot.

“Cyberwarfare Called Fifth Domain of Battle by Pentagon.” By Paul Wagenseil, Feb 16, 2011
http://www.securitynewsdaily.com/cyberwarfare-called-fifth-domain-of-battle-by-pentagon-0531/


Are You Better Prepared than Nasdaq?

February 5, 2011

Are You Prepared to Explain Why Your Enterprise Is Better Prepared than Nasdaq?

The value of any financial services corporation’s brand depends, in part, upon individual, investor, marketer, other intermediary, investor, analyst, and regulator faith that the corporation is effectively protecting the sensitive information and financial assets from abuse.

When the Wall Street Journal publishes “big” stories about successful hacking of major financial services institutions — like Nasdaq in this case — it seems reasonable to assume some of your customers, partners, investors, analysts, Board members, and more will have concerns about your capabilities to resist the same types of attacks.

This WSJ story is getting reflected throughout the press and beyond.  Additional facts about the situation are also being published — Reuters reported that an Internet-facing application vulnerability may have played a role, and the NYT reported that it was Nasdaq’s Director’s Desk, which is used by corporations, including their boards of directors, to store and share information.  After the original reports, Nasdaq revealed that the problem involved malware found in Director’s Desk, which had 5000 users…  It seems prudent for you to take the time to glance through these articles, think about your current situation and your plans, and then use some of the article content to prepare targeted communications about this issue in the context of your operations.

One key target population will likely be decision-makers throughout each line of business in your enterprise.  Unless your corporation is dramatically above the norm, you need to invest in exploiting opportunities like these.  It is time again to craft and deliver resources aimed at helping support better-informed decision-making about risk-appropriate investments in measures to protect information and financial assets, and supporting operations.

Updated 02-05-2011, 22:33, adding information about Director’s Desk.

-References-

“Hackers Penetrate Nasdaq Computers.” Feb. 5, 2011, by Devlin Barrett
http://online.wsj.com/article/SB10001424052748704709304576124502351634690.html

“Nasdaq Acknowledges Security Breach.” Feb. 5, 2011, by Devlin Barrett http://online.wsj.com/article/SB10001424052748704843304576126370179332758.html

“Nasdaq finds ‘suspicious files’ in hacker probe” Feb. 5, 2011, by Jonathan Spicer http://www.reuters.com/article/2011/02/05/nasdaq-hackers-idUSWEN712420110205

“Hackers Gained Access to Nasdaq Systems, but Not Trades.” Feb. 5, 2011, by Graham Bowley http://www.nytimes.com/2011/02/06/business/06nasdaq.html?partner=rss&emc=rss


%d bloggers like this: