China Hackers Hit Western Oil Companies: Report

BEIJING — Hackers operating from China stole sensitive information from Western oil companies, a U.S. security firm reported Thursday, adding to complaints about pervasive Internet crime traced to the country.

The report by McAfee Inc. did not identify the companies but said the "coordinated, covert and targeted" attacks began in November 2009 and targeted computers of oil and gas companies in the United States, Taiwan, Greece and Kazakhstan. It said the attackers stole information on operations, bidding for oil fields and financing.

"We have identified the tools, techniques, and network activities used in these continuing attacks – which we have dubbed Night Dragon – as originating primarily in China," said the report.

The report gave no indication the attacks were anything other than standard corporate espionage that plagues businesses around the world, which the U.S. and China have both accused each other of being deeply involved in.

The fact that oil companies were targeted may speak more to the value of their inside information than any attempt to cause damage to pipelines. McAfee called the attack methods "unsophisticated," but said the culprits were patient: they may have been inside the networks for years.

"It looked to me like the traditional hack-to-steal-valuable-stuff," said Josh Shaul, vice president of product management at Application Security Inc., a New York-based database security software maker that wasn't involved in McAfee's research. Application Security counts energy companies, including oil firms, among its clients. "It all seemed to me like someone trying to get ahead in the oil industry rather than doing something more nefarious."

The intruders were prolific in their purloining, snatching files including configurations for the oil companies' control systems, but Dmitri Alperovitch, vice president of threat research for McAfee, said they didn't appear to be trying to figure out how to blow up a pipeline or destroy equipment.

"I got a very strong sense that was not their goal," he said. "They expressed a much stronger interest in financial information."

McAfee said it identified an individual in the eastern Chinese city of Heze in Shandong province who provided servers that hosted an application that controlled computers at the victim companies. The report did not identify the man but U.S. news reports citing McAfee gave his name as Song Zhiyue.

Contacted by phone, Song said he was a salesman for a company, Science and Technology Internet, that rents server space. He said some of his customers were hackers but he declined to comment on the attacks cited by McAfee. Song said he has not been contacted by Chinese authorities.

"I recently heard about Chinese hackers using U.S. servers provided by companies like ours to attack oil companies in the U.S. Our company alone has a great number of hackers" as customers, Song said. "I have several hundred of them among all my customers as far as I know."

Critical infrastructure is increasingly a hacking target as its technology is brought into the Internet age.

An attack might be as simple as getting a low-level employee to open a malicious e-mail link. Or, it might involve exploiting well known vulnerabilities in Internet-connected servers, which is how McAfee said the oil companies were attacked. Finding those weaknesses can be simple; programs exist that will scan the Internet and automatically issue an alert when vulnerable servers have been found.

Still, money, not terrorism, appears to frequently be the motive, as it is with most computer crime.

A separate report last year from McAfee and the Center for Strategic and International Studies in Washington found that more than half of the 600 operators of power plants and other critical infrastructure surveyed said their networks were infiltrated by sophisticated adversaries. Extortion was identified as a common motivation. Oil companies were among the most frequently targeted.

Security consultants say China is a leading center for Internet crime including industrial spying aimed at major companies. Consultants say the high skill level of earlier attacks suggests China's military, a leader in cyberwarfare research, or other government agencies might be stealing technology and trade secrets to help state companies.

Last year, Google Inc. closed its China-based search engine after complaining of cyberattacks from China against its e-mail service.

The Chinese government has denied it is involved.

Officials in the United States, Germany and Britain say hackers linked to China's military have broken into government and defense systems. Attacks on commercial systems receive less attention because companies rarely come forward, possibly for fear it might erode trust in their businesses.

Spokesmen from several American, British and Greek oil companies said they were either unaware of the hacking or that they could not comment on security matters.

McAfee, based in Santa Clara, California, said the hackers worked through servers in the United States and the Netherlands and used techniques including taking advantage of vulnerabilities in the Microsoft Windows operating system.

McAfee said extraction of information occurred from 9 a.m. to 5 p.m. Beijing time on weekdays. It said that suggested the attackers were "company men" on a regular job, rather than freelance or amateur hackers.

The attackers used hacking tools of Chinese origin that are prevalent on Chinese underground hacking forums, McAfee said.

Google announced last January that cyberattacks from China hit it and at least 20 other companies. Google says it has "conclusive evidence" the attacks came from China but declined to say whether the government was involved.

Google cited those attacks and attempts to snoop on dissidents in announcing it wanted to stop censoring search results in China, which the communist government requires. The company closed its China-based search engine last March.

In 2009, a Canadian research group said a China-based ring stole information from thousands of hard drives worldwide. The Information Warfare Monitor said attackers broke into government and private organizations in 103 countries, including the computers of the Dalai Lama and his exiled Tibetan government.

There are no estimates of losses attributable to hacking traced to China, but McAfee has said previously that intellectual property worth an estimated $1 trillion was stolen worldwide through the Internet in 2008.

McAfee's report was released ahead of the annual RSA Conference next week in San Francisco. Security firms issue a flurry of reports around such conferences to promote their products and call attention to new hacking trends.

___

AP researcher Zhao Liang in Beijing and AP Business Writer Chris Kahn in New York contributed to this report.

___

Online:

McAfee Inc.'s report: http://bit.ly/hvV38n