The attackers gained access and stole secrets, specifically targeting documents about oil exploration and bidding contracts, via a combination of con tricks, computer vulnerabilities, and weak security controls. The Night Dragon attacks used to break into all the networks were built around code and tools widely available in the dark corners of the Internet; while not particularly sophisticated, they were still very effective.
The Night Dragon operation was made up of methodical and progressive intrusions into the targeted infrastructure, and can be broken down into five basic activities:
- Company extranet web servers compromised through SQL-injection techniques, allowing remote command execution
- Commonly available hacker tools are uploaded on compromised web servers, allowing attackers to pivot into the company's intranet and giving them access to sensitive desktops and servers internally
- Using password cracking and pass-the-hash tools, attackers gain additional usernames and passwords, allowing them to obtain further authenticated access to sensitive internal desktops and servers
- Initially using the company's compromised web servers as command and control (C&C) servers, the attackers discovered that they needed only to disable Microsoft Internet Explorer (IE) proxy settings to allow direct communication from infected machines to the Internet
- Using the RAT malware, they proceeded to connect to other machines (targeting executives) and exfiltrating email archives and other sensitive document
"These attacks have involved social engineering, spearphishing attacks, exploitation of Microsoft Windows operating systems vulnerabilities, Microsoft Active Directory compromises, and the use of remote administration tools (RATs) in targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations," according to the report. "We have identified the tools, techniques, and network activities used in these continuing attackswhich we have dubbed Night Dragonas originating primarily in China. Through coordinated analysis of the related events and tools used, McAfee has determined identifying features to assist companies with detection and investigation. While we believe many actors have participated in these attacks, we have been able to identify one individual who has provided the crucial C&C infrastructure to the attackers."