McAfee CTO warns of new combined threat named 'Night Dragon'

News by Dan Raywood

A new large scale attack has been detailed that targets financial systems behind oil and gas fields.

A new large scale attack has been detailed that targets financial systems behind oil and gas fields.

Calling it ‘Night Dragon', McAfee CTO George Kurtz said that it was a clear example of how cyber crime has evolved from something of a hobbyist affair to a very professional activity.

Targeting proprietary operations and project-financing information on oil and gas field bids and operations, the attacks began in November 2009 and have involved a mix of hacking techniques including social engineering, spear-phishing, Windows exploits, Active Directory compromises and the use of remote administration tools.

Kurtz said: “While the list may seem impressive, these methods and tools are relatively unsophisticated. The tools simply appear to be standard host administration techniques that utilise administrative credentials. This is largely why they are able to evade detection by standard security software and network policies.

“In fact these techniques are very common across many of the intrusions we examine. Intrusion techniques that we wrote about since 1999 in the original Hacking Exposed text still work very well a decade later.

“Since the initial compromises, McAfee and other security vendors have been able to identify the malicious software and tools used in these attacks and provide protection. McAfee recommends that companies review McAfee ePolicy Orchestrator software and anti-virus logs for ‘NightDragon' signature detections and network security platform intrusion detection systems for ‘BACKDOOR: NightDragon Communication Detected' alerts.”

He further claimed that only by recent analysis and the discovery of common artefacts and evidence correlation has it been able to determine that a dedicated effort has been on going for at least two years and possibly as many as four.

In terms of those behind the operation, Kurtz said that there was strong evidence to suggest that the attackers were based in China, as the tools, techniques and network activities used in these attacks originate primarily in China.

“These tools are widely available on the Chinese web forums and tend to be used extensively by Chinese hacker groups. McAfee has determined identifying features to assist companies with detection and investigation,” he said.

“Well-coordinated, targeted attacks such as Night Dragon, orchestrated by a growing group of malicious attackers committed to their targets, are rapidly on the rise. These targets have now moved beyond the defence industrial base, government and military computers to include global corporate and commercial targets.

“More and more, these attacks focus not on using and abusing machines within the organisations being compromised, but rather on the theft of specific data and intellectual property. Focused and efficient define the very essence of today's attackers. Thus, it is vital that organisations work proactively toward protecting the very lifeblood of many organisations: their intellectual property.”

Eddy Willems, security evangelist at G Data Software, said: “The threat of cyber terrorism is no longer a problem of the future. Stuxnet has clearly shown that cyber terrorism is a thing of the present. A targeted attack may cost companies dearly, both in terms of financial losses and productivity loss. The potential proceeds, for instance from extortion, are huge.

“Malware writers do not hesitate to steal and use legitimate certificates for their malware to appear legitimate, so it can deploy its tasks. The masterminds behind these attacks keep on finding new ways to penetrate the isolated process control systems and are becoming increasingly successful at it.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews