Kate Mackenzie Cyber attacks on oil majors

Christian Science Monitor has what looks like a very interesting scoop: at least three US oil companies have been targeted by a new, sophisticated type of cyberattack that the publication believes could be originating from China. ExxonMobil, Marathon Oil and ConocoPhilips are the reported targets. The story comes just days after Google claimed attacks originating from China had targeted specific employees, and their friends.

The CSM says it has seen documents confirming that ‘bid data’ – highly sensitive commercial information discoveries and reserve estimates – had been sought in the attacks:

The companies – Marathon Oil, ExxonMobil, and ConocoPhillips – didn’t realize the full extent of the attacks, which occurred in 2008, until the FBI alerted them that year and in early 2009. Federal officials told the companies proprietary information had been flowing out, including to computers overseas, a source familiar with the attacks says and documents show.

The CSM couldn’t get any of the three companies to comment officially on the attacks, or even confirm them, but it says it spent five months talking to industry insiders, security experts, and ex-government officials to verify the attacks.

Obviously we don’t know exactly how this story is shored up, but a well placed source has confirmed to the FT that US law enforcement agents have in the past warned oil companies with operations in Houston that such attacks had occurred, and that they needed to check their systems.

Less certain is the provenance of the attacks. From the CSM:

While China’s involvement in the attacks is far from certain, at least some data was detected flowing from one oil company computer to a computer in China, a document indicates. Another oil company’s security personnel privately referred to the breaches in one of the documents as the “China virus.”

However that, as is pointed out later, is fairly circumstantial – Chinese computers, for example, could have been harnessed knowingly or unknowingly by attackers from elsewhere.

More worryingly, an anonymous source tells the CSM the companies themselves don’t realise that “a major foreign intelligence agency has taken control of major portions of their network”.

The CSM says this is a new type of attack that “involves custom-made spyware that is virtually undetectable by antivirus and other electronic defenses traditionally used by corporations”.

The method of the attacks, according to one anonymous source connected Marathon Oil, was via phishing targeted at executives – in the form of a bogus reply to a non-existent original email, requesting comment on the Emergency Economic Stabilization Act. The story says similar emails were received by executives at ConocoPhilips and Exxon:

Once a bogus link is clicked on, a single intruding piece of advanced spyware can change digital signatures to evade detection, spin off decoys, and lie low while waiting to pilfer targeted information. It gives clandestine control of a network over to the outside attackers. When the program finds data, it encrypts the information and sends it back to the cyberthieves.

The cleverest attacks, as any security expert will tell you, use ‘social engineering’ – ie, they rely on fooling company staff rather than just sheer technical force. Social engineering is also one of the most difficult things to guard against – human mores are so inbuilt that they are easily exploited.

Related links:

Google vs China – FT In Depth