McAfee Documents “Night Dragon” APT

(This article was originally published on the Findings From the Field blog.) McAfee has released a report describing a new Advanced Persistent Threat they dubbed "Night Dragon." The attackers were able to take remote control of assets they compromised. In this attack, though, the motive was not sabotage, but the theft of competitive intelligence. What is distressing is that while the adversary behind the attack seems very capable, the technology of the attacks was not very sophisticated. These adversaries were able to take over control system assets and energy-industry infrastructure using fairly unsophisticated "remote administration" toolkits. Advanced Persistent Threat The Night Dragon attacks represent an Advanced Persistent Threat (APT) in the original sense of the term. The "threat" in the original definition did not refer to the attack tools, but rather to the agency behind the attacks. The threat in this case is the people who appear to work "nine to five" in the time zone of eastern China. These people appear to come in to work every morning, hack their targets all day long, and then go home at night to their families. Unlike "boasting rights" hackers, who break into networks and web sites because they can, McAfee reports that this threat behaves like a group of professionals. Boasting-rights hackers will get discouraged if a particular site is well-defined and find another target where they might have more success. Even the professionals behind organized crime behave opportunistically to some degree - they steal bank account credentials and credit card numbers indiscriminately, from the easiest targets they find. The professionals behind this APT acted as if they were given an objective and then worked 9-5 every day until they either achieved their objective or were given a different one. Economic Motive McAfee identifies the objective of the "Night Dragon" attacks as the theft of competitive intelligence, specifically: "Files of interest focused on operational oil and gas field production systems and financial documents related to field exploration and bidding that were later copied from the compromised hosts or via extranet servers. ... In certain cases, the attackers collected data from SCADA systems." I have seen no well-documented cases of attackers targeting control systems for competitive intelligence, but have seen passing mention of such attacks in reports like this one, and have heard verbal reports of such attacks as well. Common wisdom has it that the conventional confidentiality / integrity / availability priorities are inverted in control systems. This report adds to mounting evidence that at least some of the time, control system data confidentiality is more important than people give it credit for. Firms have suffered serious losses through the theft of information from control systems. Another Stuxnet? In spite of occasionally targeting SCADA systems, Night Dragon is not another Stuxnet. The Stuxnet worm was a sophisticated package including four Windows zero-day exploits, three Siemens S7 exploits and some six or seven different ways to propagate automatically via networks and removable media. Night Dragon sounds more like the approach white-hat penetration-testers take when tasked with testing the security of specific network. Pen-testers will find a way into an enterprise network through vulnerabilities in web servers, or through social engineering, or by compromising the laptops of employees with VPN connections into the network. Once inside, they use what credentials they have to find other account names and passwords, and scrounge for information like network diagrams, or too often, plain-text files of account names and passwords. With each new set of credentials, the testers spread further into the target network, taking over more machines, until their objective is achieved. Why Night Dragon Matters So if Night Dragon is not high-tech stuff, why do we care? We care because Night Dragon demonstrates that simple techniques, applied by a skillful and persistent adversary, are enough to break into energy-sector firms, even to the extent of compromising their control system assets. Worse, the tools used by these adversaries let them take complete control of compromised machines, through remote-desktop-like facilities. Night Dragon used these tools to steal valuable information, but could just as easily have used them to take control of the user interface on any machine they compromised, including the control system assets. The McAfee report doesn't say it outright, but it seems very likely that this same adversary could have taken over and sabotaged the physical processes behind the control systems they compromised, if they had been given that objective. The team had remote control of all the control system assets they compromised, and a remote-control tool on a computer with HMI capabilities gives the attacker control of the physical process through the HMI. What Needs to be Done How do we prevent persistent adversaries using well-understood attack tools from taking over our control systems? The answer is a defense-in-depth security posture. In fact, since the Night Dragon APT was focussed entirely on remote control, protecting against that threat is somewhat easier than protecting against the USB-capable and S7-project-infecting Stuxnet: Look seriously at whitelisting/application control/HIPS protections, Increase network segmentation, Strengthen firewall rules, reducing the number and scope of connections, Reduce the number and scope of VPN connections, Install anomaly-based host and network intrusion detection systems, Consider multi-factor authentication to reduce the impact of stolen or cracked passwords, and Consider isolating the most critical parts of your control systems entirely with unidirectional diodes/gateways. The pen-testers I talk to boast that they almost always succeed, using techniques very similar to the Night Dragon techniques. The best defense against these adversaries and techniques is a strong defense-in-depth posture. To really protect against advanced threats with remote-control attacks, you need stronger controls on network connectivity than the average defense-in-depth program recommends.