Global Energy Industry Hit In “Night Dragon” Attacks by George Kurtz

By on Feb 09, 2011

In 2010 McAfee Labs processed an average of almost 55,000 pieces of new malware every day. That nearly mind-numbing amount makes it difficult for any particular attack to stand out. Today, however, I want to highlight one large scale attack that is a clear example of how cybercrime has evolved from something of a hobbyist affair to a very professional activity. We call this specific attack “Night Dragon.”

Starting in November 2009, covert cyberattacks were launched against several global oil, energy, and petrochemical companies. The attackers targeted proprietary operations and project-financing information on oil and gas field bids and operations. This information is highly sensitive and can make or break multibillion dollar deals in this extremely competitive industry.

McAfee has identified the tools, techniques, and network activities used in these attacks, which continue on to this day. These attacks have involved an elaborate mix of hacking techniques including social engineering, spear-phishing, Windows exploits, Active Directory compromises, and the use of remote administration tools (RATs).

While the list above may seem impressive to the layperson, these methods and tools are relatively unsophisticated. The tools simply appear to be standard host administration techniques that utilize administrative credentials. This is largely why they are able to evade detection by standard security software and network policies. In fact these techniques are very common across many of the intrusions we examine.  Intrusion techniques that we wrote about since 1999 in the original Hacking Exposed text still work very well a decade later.

Anatomy Of The Night Dragon Attack

Anatomy Of The Night Dragon Attack


Since the initial compromises, however, McAfee and other security vendors have been able to identify the malicious software and tools used in these attacks and provide protection.  McAfee recommends that companies review McAfee ePolicy Orchestrator software and anti-virus logs for ‘NightDragon’ signature detections and Network Security Platform  intrusion detection systems for ‘BACKDOOR: NightDragon Communication Detected’ alerts.

Only through recent analysis and the discovery of common artifacts and evidence correlation have we been able to determine that a dedicated effort has been ongoing for at least two years and, likely, as many as four. We can now associate the various signatures that we have seen in these attacks to this particular event called Night Dragon.

We have also taken a close look at who might be behind these attacks. We have strong evidence suggesting that the attackers were based in China. The tools, techniques, and network activities used in these attacks originate primarily in China. These tools are widely available on the Chinese Web forums and tend to be used extensively by Chinese hacker groups.McAfee has determined identifying features to assist companies with detection and investigation.

The Night Dragon attacks as well as countermeasures and tips on how to identify if your organization was targeted in these attacks are detailed in a white paper published today.

Well-coordinated, targeted attacks such as Night Dragon, orchestrated by a growing group of malicious attackers committed to their targets, are rapidly on the rise. These targets have now moved beyond the defense industrial base, government, and military computers to include global corporate and commercial targets.

More and more, these attacks focus not on using and abusing machines within the organizations being compromised, but rather on the theft of specific data and intellectual property. Focused and efficient define the very essence of today’s attackers.  Thus, it is vital that organizations work proactively toward protecting the very lifeblood of many organizations: their intellectual property.


PS: If you’re attending the RSA Conference in San Francisco next week, come see Stu McClure and I discuss this attack and others during our “Hacking Exposed” session at 1 PM on Thursday Feb. 17 in Red Room 103.

You can follow McAfee CTO George Kurtz on Twitter at


By George Kurtz