Internet-Based Marketing Intelligence, the Chinese Way: What Does Night Dragon Show?

April 1, 2011
A Cyber-Attack on Global Energy Companies

McAfee produced an interesting paper last month, giving details of an operation they christen "Night Dragon," which is described as a cyber-attack on global energy companies. By gaining access to target computer systems and building an organizational chart complete with internal email addresses, these computer hackers targeted key executives, gaining access to their machines and files to "exfiltrate";  i.e., download, or steal, whole email archives and the files or documents associated with commercial bids or operational cost estimates.

The McAfee report gives a detailed analysis of how this was carried out, what hacking tools were used, and what can be deduced about the origin, objectives and motives of the people behind Night Dragon. The apparent objective was to "target and harvest sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations." The McAfee report says that "Files of interest focused on operational oil and gas field production systems and financial documents related to field exploration and bidding that were later copied from the compromised hosts or via extranet servers. In some cases, the files were copied to and downloaded from company web servers by the hackers. In certain cases, the hackers collected data from SCADA systems."

Please note that in the above quotes I have changed the word "attackers" to "hackers," and throughout this report the language has been deliberately moderated in order not to inflame attitudes, as the politicians would say.

The operations started in November 2009, originating from several locations in China, working through command and control (C&C) servers on purchased hosted services in the United States, with other compromised servers in the Netherlands, to target global oil, gas and petrochemical companies, as well as individuals and executives based in Kazakhstan, Taiwan, Greece and the United States. The Night Dragon C&C infrastructure used by all the hackers was traced back to one probable source individual, operating in Heze City, Shandong Province, in China. The hackers operate using IP addresses based in Beijing, and are operational during weekdays from 9 a.m. to 5 p.m.; i.e., a normal working day. These hackers apparently work for companies that in the West would probably be called market(ing) research consultancies.

The objective was probably to acquire proprietary and highly confidential information: ie market intelligence to assist in commercial bid negotiations, for a client, presumably in Asia.

Who Is at Risk?

The same techniques can be used to interrogate the computer systems of any other company involved in commercial negotiations, whether this might be for the supply of nuclear or conventional power plants, steel mills, pipeline systems, rail systems or any other project, even those not involving industrial automation, of course. The principle has a long pedigree, from eavesdropping on conversations in the royal courts in Tudor times or in the Anglo-French wars, to decoding radio messages meant for enemy submarines and ships in WW2.

Currently similar systems used in the Western drug enforcement and anti-terrorism intelligence agencies might be more automated, scanning conversations, emails and Internet files for keywords, possibly with help from Google, but they are bound to be targeted on suitable sources and attached to or slipped into any computer system that is relevant. So "we" do it too.

Is This Criminal?

If the South Sea islanders had had the Internet, they would have known the deal they made trading their gold and diamonds for glass beads or a steel dagger was not a fair deal. So faced with a deal involving a major Western contractor, a less well-developed country or negotiator acting on behalf of a client would turn to the Internet for more information, and the extreme of using the Internet has to involve a hacking approach if the capability is available. In the UK, any national or local government internal emails can be legally inspected under the freedom of information act, but at the moment this right does not extend to their suppliers. Your opinion on whether such activity is valid or criminal has to depend on your background and employer. How does one Western contractor know the normal approach of another contractor, other than by asking, or recruiting, someone who knows – and this is almost the same as hacking Internet-accessible files!

Future Downside and Action

The downside to this activity is that it breeds professional hackers, who might just decide that a freelance venture into taking control of a computer control system, and using threats to extort financial gain could be a viable career. So McAfee does recommend prevention systems using application white-listing and change/configuration control software on critical servers. It also has produced a "Night Dragon vulnerability scanner" (See, and says that use of its McAfee Network Threat Response technology would have detected the malicious C&C traffic and would have alerted administrators to the attack early, giving time to react and prevent future damage. Protecting your intellectual property, in terms of your project cost files, might well be worth the small costs of the relevant software, or maybe the costing engineers need to have separate laptops whose files are not on the main system?

Andrew Ginter, chief technology officer at Abterra Technologies in Calgary, Alberta, commented, as a guest editor on the Industrial Defender website: "If Night Dragon is not high-tech stuff, why do we care? We care because Night Dragon demonstrates that simple techniques applied by a skillful and persistent adversary are enough to break into energy-sector firms, even to the extent of compromising their control system assets. Worse, the tools used by these adversaries let them take complete control of compromised machines through remote-desktop-like facilities. Night Dragon used these tools to steal valuable information, but could just as easily have used them to take control of the user interface on any machine they compromised, including the control system assets.

The McAfee report doesn't say it outright, but it seems very likely that this same adversary could have taken over and sabotaged the physical processes behind the control systems they compromised if they had been given that objective. The team had remote control of all the control system assets they compromised, and a remote-control tool on a computer with HMI capabilities gives the attacker control of the physical process through the HMI."