I have been going thru the McAfee blog on the Night Dragon attacks on the global energy sector which identified as started in November 2009. The summary of the white paper released by them on this topics includes some key elements:
- The coordinated covert and targeted cyber attacks have been conducted against global oil, energy, and petrochemical companies
- These attacks have involved social engineering, spear phishing attacks, exploitation of Microsoft Windows operating systems vulnerabilities, Microsoft Active
Directory compromises, and the use of remote administration tools (RATs) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations.
The anatomy of this attack is summarized as follows
- Company extranet web servers compromised through SQL-injection techniques, allowing remote command execution
- Commonly available hacker tools are uploaded on compromised web servers, allowing attackers to pivot into the company.s intranet and giving them access to sensitive desktops and servers internally
- Using password cracking and pass-the-hash tools, attackers gain additional usernames and passwords, allowing them to obtain further authenticated access to sensitive internal desktops and servers
- Initially using the company.s compromised web servers as command and control (C&C) servers, the attackers discovered that they needed only to disable Microsoft Internet Explorer (IE) proxy settings to allow direct communication from infected machines to the Internet
- Using the RAT malware, they proceeded to connect to other machines (targeting executives) and exfiltrating email archives and other sensitive documents
One common theme I see in most of the security breaches is the way the business leaders take security. Many times, it is the lack of management commitment as well as involvement, which leads to a weak system of security in any organization.
An energy sector company is expected to be much worse than that of other business domains if the management is not really keen on security.
The full white paper can be found here.
0 Comments