Hackers hit 'at least five oil and gas firms' Published duration 10 February 2011

image caption The attacks meant hackers had access to some networks for years

Hackers have run rampant through the networks of at least five oil and gas firms for years, reveals a report.

Compiled by security firm McAfee, it details the methods and techniques the hackers used to gain access to the unnamed multinational firms.

Via a combination of con tricks, computer vulnerabilities and weak security controls, the attackers gained access and stole secrets, it says.

The hackers targeted documents about oil exploration and bidding contracts.

Cashing in

Greg Day, director of security strategy at McAfee, said that the attacks used to break into all the networks were built around code and tools widely available on the net's underground.

As such, he said, they were not very sophisticated but that did not dent their effectiveness.

In its report detailing what it dubbed the Night Dragon attacks , McAfee said the series of co-ordinated attempts to penetrate at least a dozen multinational oil, gas and energy companies began in November 2009. Five firms had confirmed the attacks, said McAfee.

In a long-running campaign, the attacks continued and the hackers methodically worked to penetrate the computer networks of these firms.

The first stage of the attack was to compromise the external server running a company's website. Hacker tools were then loaded on the compromised machine and used to lever open access to internal networks. Then, cracking tools were used to gather usernames and passwords and get deeper access.

Once embedded, the hackers disabled internal network settings so they could get remote access to machines on the corporate networks. Via this route, sensitive documents, proprietary production data and other files were found and pilfered.

McAfee said the information stolen was "tremendously sensitive and would be worth a huge amount of money to competitors".

image caption The concerted attacks on oil firms resemble other specific attacks such as Stuxnet which targeted Iran

Rik Ferguson, director of security research at Trend Micro said the information gathered by McAfee showed this was not a run-of-the-mill incident.

"The intrusions were multi-staged, multi-vector, pervasive and sustained," he said.

Mr Ferguson said most companies would admit that "they come under sustained attack all the time."

"The difficulty is in separating out the white noise of script-kiddies, hobbyists and automated malware infection routines from the targeted intrusion attempts.

McAfee's Mr Day said corporates were going to have to get much better at analysing the attacks hitting them if they were to avoid falling victim in a similar way.

"We have had a decade of cyber crime all about 'write it, randomly spray it and see who falls foul'," he said. "In the next decade many attacks will have a more specific purpose and they will keep going until they are successful."

The attacks seemed to have a motive in common with that behind the Operation Aurora attacks on Google in China and the Stuxnet virus, which targeted industrial plant and machinery, and is thought to have been designed to attack Iran's nuclear programme.

It was not clear if the Night Dragon attacks were state-sponsored, said Mr Day. Circumstantial evidence, such as the fact that all the attack activity took place during the Chinese business day, suggested China was involved but it was by no means conclusive.

Equally, the fact that during its investigation McAfee uncovered the identity of one individual based in China who provided invaluable aid and computer resources to those behind the attacks did not mean everything was backed by China.

The clues could be misdirection, said Mr Day.