Night Dragon hack attacks make cyberwar commercial

Best name ever for most boring hacker conspiracy

In an operation using a code name far cooler than anything else about it, a 9-to-5 hacker pool based in China has spent the last two years stealing intellectual property from U.S. utility companies, according to a report from McAfee.

The first question to ask, of course, is what intellectual property could a utility possibly have? How to not find my water meter every time you come to my house for years? How to trim a hole through the branches of big trees to run power lines and never think the whole shebang was going to come down the first time the smaller branches above got a big load of ice and snow on them?

How to block the really small side streets as well as the main drags when you're working on something underground during rush hour?

Just asking.

McAfee doesn't say much about the kind of information stolen, though apparently some of the machines compromised were the same kind of SCADA facilities-management tools targeted by the Stuxnet worm in 2010.

It does describe the earnest, workmanlike effort to steal it under the code name "Night Dragon."

Rather than being a single piece of malware, Night Dragon is more a modus operandi – attacks following a similar pattern and set of techniques, according to NakedSecurity.

Unexciting as the techniques and targets are, they do represent another example of hackers attacking the civil infrastructure of a country, rather than simply a bank, web site or other digital property. Like the Stuxnet attack on Iran's nuclear-development project, attacking utilities, traffic facilities and other parts of the infrastructure that allows a country to run, poses a much larger threat to a country than smash-and-grab commercial hacks.

Night Dragon can be traced, McAfee says, back to one person living in Heze City in Shandong Province, who apparently supplied networks and computers to a whole staff of low-level hackers. The hacker-drones worked regular business hours for at least two years and possibly four, systematically attacking a range of telecom, power and oil companies in a range of countries.

The hacker-pool attacked public web sites using remote-administration tools, Windows exploits, weak points in Active Directory structures and other common techniques, often using software available free on underground hacker sites.

They also used social engineering techniques that involved calling utilities in Kazakhstan, Taiwan, Greece, and the U.S. and just asking them for sensitive information, which they sometimes got.

"These methods and tools are relatively unsophisticated," the report concluded."The tools simply appear to be standard host administration techniques that utilize administrative credentials. This is largely why they are able to evade detection by standard security software and network policies."

McAfee also put out a whitepaper on how to recognize Night Dragon attacks from this group and others (PDF) using similar techniques.

Kevin Fogarty writes about enterprise IT for ITworld. Follow him on Twitter @KevinFogarty.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies