Strategic Industries Should Go On High Alert

Friday, February 11, 2011

Richard Stiennon


A frightening pattern of targeted espionage reports has a new entry provided by McAfee

The Night Dragon report details a concerted effort to harvest oil and gas reserve information and other highly confidential information from the executives of at least five major oil, gas, and energy companies. 

Reserve trading and SCADA information was also compromised. McAfee provides strong attribution that the attacks came from China (strong, not conclusive, which would require a believable source taking credit for the attacks).

The pattern indicates that China engages in focused projects that target particular industries or governments. 

A brief timeline with ever increasing attribution:

2004 Titan Rain (Slideshare presentation)

2006 British MPs targeted. (Guardian, Smash and Grab, the High Tech Way)

2007 German Chancellery compromised and China accused of being the perpetrator. (Der Spiegel, Merkel's China Visit Marred by Hacking Allegations)

2007 US Pentagon email servers compromised for an extended period. Cost to recover $100 million. p { margin-bottom: 0.08in; }(Paul, Ryan. "Pentagon e-mail taken down by hackers." Ars Technica. 22 June 2007 )

2007 Oak Ridge National Laboratory targeted by Chinese hackers (Stiennon, Haephratic Technique Used to Crack US Research Lab)

2009 Ghostnet report from SecDev on Chinese infiltration of Dalai Lama's office. (Scribd presentation: Tracking GhostNet)

2009 Three largest resource companies  in Australia, including Rio Tinto compromised. (Rio Tinto hacked at time of Hu arrest)

2009 Google Aurora attacks target user data and source code. (McAfee blog)

2010 Corollary Aurora attacks against Marathon Oil, ExxonMobil, and ConocoPhillips  (Christian Science Monitor, US oil industry hit by cyberattacks: Was China involved?p { margin-bottom: 0.08in; } )

2010 Shadows in the Cloud report from SecDev on successful attacks against India's military networks. (Scribd report: Shadows in the Cloud)

McAfee Night Dragon provides details of attacks against five large energy companies. (McAfee: Globa Energy Cyber Attacks: "Night Dragon")

This trail of increasing attribution should be taken as a critical alert to industry groups that deal with strategic global information including:

  • State departments
  • Military
  • Critical resources including agriculture, oil, gas, building materials,  mining (iron, aluminum, gold, silver, platinum and alloy ingredients such as molybdenum, magnesium, molybdenum, palladium, chromium).
  • Computers and technology

These industries should be on high alert and take extraordinary measures to first determine if they have already been compromised, and then lock down their environments.  

Tools such as Damballa, FireEye, Guidance Software, and Netwitness should be deployed immediately to detect “beaconing” connections from inside their networks to command and control servers.  

Web application firewalls from Application Security, F5, or Imperva should be deployed in front of exposed web resources.  Whitelisting products from Bit9, Coretrace, Lumension, or Savant Protection should be trialled immediately on executive laptops.

Adversaries using pernicious methodologies are targeting (see webinar New definition of APT) the data of globally strategic industries. Business as usual based on risk based methodologies have to be supplanted by an urgent revamping of security deployments to counter a frightening new level of threat.

Cross-posted from ThreatChaos

Possibly Related Articles:
SCADA China Application Security Government McAfee Night Dragon
Post Rating I Like this!
Don Eijndhoven Excellent piece as always, Richard. Im currently working for a global company that could well be targeted and they're on high alert now. I've forwarded them this article. NetWitness is indeed a great tool.

Don E.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.