NIGHT DRAGON IS JUST A ‘DRESS REHEARSAL’
By Victoria Loewengart (Partner, TBI, LLC., www.insidertalk.net)
What is Night Dragon
According to McAfee Report Night Dragon is a “coordinated covert and targeted cyber attacks have been conducted against global oil, energy, and petrochemical companies.” The goal of attack is to steal confidential and proprietary information, including project-financing details, relating to a number of oil and gas field projects.
Who is behind it?
McAfee alleges that the attack started as far back as 2009, and was originated in China. The attack does not seem to be led by random hackers, but by well-organized, persistent, and knowledgeable group of workers who worked 9 to 5 hours.
Most likely culprit – China’s People’s Liberation Army sponsoring “China’s Cyber Militia” – a large number of hackers working through volunteer nationalistic organizations or government agencies.
McAfee analysts have been able to identify one individual who has provided the crucial C&C (Command and Control) infrastructure to the attackers — this individual is based in Heze City, Shandong Province, China. It is not believed that this individual is the mastermind behind these attacks; it is likely this person is aware or has information that can help identify at least some of the individuals, groups, or organizations responsible for these intrusions.
The individual runs a company that, according to the company’s advertisements, provides ”Hosted Servers in the U.S. with no records kept” for as little as 68 RMB (US$10) per year for 100 MB of space. The company’s U.S.-based leased servers have been used to host the zwShell (a Trojan virus dropper designed for creating a customizable backdoor remote administration tool to be installed on target machines) C&C application that controlled machines across the victim companies.
Source: McAfee® Foundstone® Professional Services, McAfee Labs™. “Global Energy Cyberattacks: “Night Dragon”.” McAfee. February 10, 2011. http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf
How it is done
According to McAfee, the Night Dragon attacks work by methodical and progressive intrusions into the targeted infrastructure. The following basic activities were performed by the Night Dragon operation:
• Company extranet web servers compromised through SQL-injection techniques, allowing remote command execution
• Commonly available hacker tools are uploaded on compromised web servers, allowing attackers to pivot into the company’s intranet and giving them access to sensitive desktops and servers internally
• Using password cracking and pass-the-hash tools, attackers gain additional usernames and passwords, allowing them to obtain further authenticated access to sensitive internal desktops and servers
• Initially using the company’s compromised web servers as command and control (C&C) servers, the attackers discovered that they needed only to disable Microsoft Internet Explorer (IE) proxy settings to allow direct communication from infected machines to the Internet
• Using the Remote Administration Tools (RAT) malware, they proceeded to connect to other machines (targeting executives) and infiltrating email archives and other sensitive documents
Once the initial system was compromised, the attackers compromised local administrator accounts and Active Directory administrator (and administrative users) accounts. The attackers often used common Windows utilities, such as SysInternals tools (acquired by Microsoft in 2006) — and other publicly available software, including hacking tools developed in China and widely available on Chinese underground hacker websites — to establish “backdoors” through reverse proxies and planted Trojans that allowed the attackers to bypass network and host security policies and settings. Desktop anti-virus and anti-spyware tools were also disabled in some inst