http://blogs.mcafee.

com/corporate/cto/global-energy-industry-hit-in-night-dragon -attacks Global Energy Industry Hit In Night Dragon Attacks Wednesday, February 9, 2011 at 9:18pm by George Kurtz George Kurtz In 2010 McAfee Labs processed an average of almost 55,000 pieces of new malware every day. That nearly mind-numbing amount makes it difficult for any particular attack to stand out. Today, however, I want to highlight one large scale attack that is a clear example of how cybercrime has evolved from something of a hobby ist affair to a very professional activity. We call this specific attack Night Dr agon. Starting in November 2009, covert cyberattacks were launched against several glo bal oil, energy, and petrochemical companies. The attackers targeted proprietary operations and project-financing information on oil and gas field bids and oper ations. This information is highly sensitive and can make or break multibillion dollar deals in this extremely competitive industry. McAfee has identified the tools, techniques, and network activities used in thes e attacks, which continue on to this day. These attacks have involved an elabora te mix of hacking techniques including social engineering, spear-phishing, Windo ws exploits, Active Directory compromises, and the use of remote administration tools (RATs). While the list above may seem impressive to the layperson, these methods and too ls are relatively unsophisticated. The tools simply appear to be standard host a dministration techniques that utilize administrative credentials. This is largel y why they are able to evade detection by standard security software and network policies. In fact these techniques are very common across many of the intrusion s we examine. Intrusion techniques that we wrote about since 1999 in the origin al Hacking Exposed text still work very well a decade later. Anatomy Of The Night Dragon Attack Anatomy Of The Night Dragon Attack

Since the initial compromises, however, McAfee and other security vendors have b een able to identify the malicious software and tools used in these attacks and provide protection. McAfee recommends that companies review McAfee ePolicy Orch estrator software and anti-virus logs for NightDragon signature detections and Net work Security Platform intrusion detection systems for BACKDOOR: NightDragon Com munication Detected alerts. Only through recent analysis and the discovery of common artifacts and evidence correlation have we been able to determine that a dedicated effort has been ongo ing for at least two years and, likely, as many as four. We can now associate th e various signatures that we have seen in these attacks to this particular event called Night Dragon. We have also taken a close look at who might be behind these attacks. We have st rong evidence suggesting that the attackers were based in China. The tools, tech niques, and network activities used in these attacks originate primarily in Chin a. These tools are widely available on the Chinese Web forums and tend to be use d extensively by Chinese hacker groups.McAfee has determined identifying feature s to assist companies with detection and investigation.

The Night Dragon attacks as well as countermeasures and tips on how to identify if your organization was targeted in these attacks are detailed in a white paper published today. Well-coordinated, targeted attacks such as Night Dragon, orchestrated by a growi ng group of malicious attackers committed to their targets, are rapidly on the r ise. These targets have now moved beyond the defense industrial base, government , and military computers to include global corporate and commercial targets. More and more, these attacks focus not on using and abusing machines within the organizations being compromised, but rather on the theft of specific data and in tellectual property. Focused and efficient define the very essence of todays atta ckers. Thus, it is vital that organizations work proactively toward protecting the very lifeblood of many organizations: their intellectual property. George PS: If youre attending the RSA Conference in San Francisco next week, come see St u McClure and I discuss this attack and others during our Hacking Exposed session at 1 PM on Thursday Feb. 17 in Red Room 103. You can follow McAfee CTO George Kurtz on Twitter at http://twitter.com/george_ kurtzcto