It should come as no surprise for those keeping a watchful eye on the media, the Internet Threat Landscape and certain social media outlets such as Twitter that McAfee, Inc. releases a report today regarding the ‘Night Dragon’ attacks. The report was well written (though I personally find certain statements a little questionable as I am not sure that this or Stuxnet really represent a ‘new’ class of attack though they are both focused and targeted) and the result of an extensive collaboration. The report states that the attacks that constitute the ‘Night Dragon’ cyber attacks began in 2009. They were executed in manner which was quite reminiscent of those seen in 2009’s GhostNet account which was chronicled by, and presented to the world by Information Warfare Monitor.
Let’s look at the evolution of ‘Night Dragon’ and discuss its origins. As the report states some time in 2009 organized attacks began against select targets of opportunity within the global oil, energy and petrochemical industry. The attacks were multi-vector in nature involving:
- Social engineering
- Targeted spear phishing
- Exploitation of Microsoft operating system vulnerabilities
- Compromises of Microsoft Active Directory infrastructures
- The use of well known & common hacking and system administration tools including but not limited to the Gh0st Remote Access Tool (Gh0st RAT) and Microsoft Sysinternals
The mission and intent were clear (as is often the case with more sophisticated instances of long standing attacks involving data exfiltration) – to gain as much information related and pertaining to the business of these organizations as possible. This data ranged from bid contracts on oil and gas fields to operational communication to sensitive information at the executive levels of the target organizations in question. Their assertion is that the attacks originate primarily in China. It should be noted that origination does not equate to attribution something all security professionals must bear in mind when conducting incident response and forensic investigation. Their report suggests that multiple actors were involved and that they were able to identify one individual (again I’m interested in attribution with respect to this), who provided the command and control (C&C) infrastructure deemed integral to the attacks.
Though I mentioned high level attributes of the attack I think it is necessary to explore / examine the attack vectors in a little more detail. This blog is not meant to supplant the report described herein. It is meant to provide some clarity and insight to their findings for customers and the community at large. The attack was covert and the targets specific. This again does not make for or warrant the classification and / or creation of a new type of attack. These facts merely underscore the realities associated with more sophisticated professional attacks.
SQL Injection attacks were used to exploit vulnerabilities present within the Microsoft Operating Systems upon which the web sites of the victims were constructed. This exploitation paved the way for remote code execution by the architects of this attack. Additionally, targeted spear phishing attacks were launched in the hopes of catching remote / mobile user populaces associated with the victim organizations off guard and vulnerable. In doing so, this further increased the odds of successful exploit and compromise with the goal being still well within reach. Once these platforms (Web Servers or mobile user endpoints) were compromised, common hacker and system administrator tools were introduced by the attackers to further compromise the victimized environments. Password guessing via brute force and hash sharing was accomplished and thus saw the destabilization of the relevant security controls within the victim Microsoft Active Directory infrastructures.
The Gh0st Rat tool-set was leveraged for surveillance and massive data identification & exfiltration. Credit should be given to Microsoft and the Internet Explorer feature set as the attackers had to disable IE proxy settings in order to leverage their Command & Control infrastructure on compromised hosts. Is this attack unique? The answer is no. Is this attack representative of a new dawn or era kinetic cyber activity? The answer is no. Is this something you and your organization should be concerned about? The answer is yes. There are several reasons for concern here but the starkest stem from noting the basic attributes of the attack (the vulnerabilities) which were exploited. Were there human elements at play that were socially engineered? The answer is yes and unfortunately there is no patch that sees susceptibility to deception prevented. Diligence, and a vigilant approach to information security program design and operation are required the narrow those gaps.
For more information on threats such as 'Night Dragon', 'Gh0stNet', 'Aurora' and 'Stuxnet' please keep an eye on this blog and other research related materials being produced by HP DVLabs. Additionally, feel free to check out this book written by myself and HP TippingPoint's John Pirc.