The US Federal Bureau of Investigation is probing a series of cyber-espionage attacks on at least five major oil, gas and petrochemical companies by hackers based in China.
The attacks, which began more than a year ago and are continuing, have succeeded in capturing sensitive financial information, including plans for bidding on drilling rights in specific fields, and production information, such as the configuration of equipment.
Such data would be worthless to most people but highly valuable to competitors in the industry, suggesting an economic motive for the intruders. The penetration followed a similar pattern at all of the targets identified so far and appeared to have been conducted by a group of a dozen or fewer people working from about 9am to 5pm Beijing time during the week.
“These were company worker bees, not freestyle hackers”, said Dmitri Alperovitch, a researcher at Intel (NASDAQ: INTC – news) -owned antivirus firm McAfee (NYSE: MFE – news) and a contributor to a white paper on the campaign being published on Thursday.
Mr Alperovitch said he and his colleagues had briefed the FBI and that the agency was investigating.
“We are aware of the threat to the oil and gas industry” from cyber-espionage, said FBI spokeswoman Jenny Shearer, adding that she could not confirm or deny specific inquiries.
The National Cyber-Forensics Training Alliance, a US non-profit that works with private companies as well as law enforcement and academia, has also been researching the case, and group chief executive Rob Plesco said it was the first that he knew of against the oil and gas industry.
Mr Plesco praised McAfee for going public with a description of the attacks on its clients, since targeted companies themselves rarely confess to such breaches and they can serve as an effective warning.
According to the white paper and Mr Alperovitch, the attacks began with an assault on the companies’ external websites using a common technique known as ‘SQL injection’, named after holes in the Structured Query Language used to communicate with databases. Hacking tools readily available on underground forums in China were then used to gain access inside the company’s servers, and automated cracking techniques gave the intruders user names and passwords.
The hackers then installed software to control the compromised machines and sent off e-mails and targeted documents to internet addresses in China.
They used previously known software flaws and did not go to great lengths to cover their tracks, the researchers found.
Such attacks are commonplace in many industries, investigators and law enforcement officials say, but are rarely divulged or explained.
TAIPEI (AFP) – A Taiwanese general detained in what could be the island’s worst espionage case in 50 years was lured by sex and money offered by a female Chinese agent, media reported Thursday.
Army major general Lo Hsien-che was allegedly recruited while stationed in Thailand between 2002 and 2005, drawn in by a honeytrap set by the agent, then in her early 30s, said the China Times, citing unnamed sources.
“Lured by sex and money offered by the spy, Lo was recruited by China to supply top secret information he handled,” the paper said.
The woman, described by the paper as “tall, beautiful and chic,” held an Australian passport and initially pretended to be working in the export and import trade when she met Lo, who was already married, the paper said.
Lo, now 51, started to collect secrets for her in 2004 and received up to $200,000 at a time for his services, eventually pocketing as much as $1 million from China, it said.
Although he returned to Taiwan in 2005, Lo continued working for China and kept meeting the woman in the United States, where he handed over more confidential information to her, it added.
Lo had managed to keep his activities under wraps and pass repeated loyalty checks and was promoted to a major general in 2008, according to the paper.
He was head of the army’s telecommunications and electronic information department when he was arrested last month, according to the defence ministry, which declined to comment on the report.
Military officials have called the scandal the worst Chinese communist espionage case in the past half century, given the sensitive affairs that Lo had access to.
“We do not know the relevant circumstances,” said a spokesman for the Taiwan Affairs Office in Beijing when asked to comment on the case.
China’s state-controlled Global Times tabloid quoted Li Fei, a Taiwan expert at southeast China’s Xiamen University, as saying the two sides of the Taiwan Straits are still actively spying on each other.
“Espionage activities have never ceased, even though cross-Straits tensions have eased over the years,” he said, adding agents no longer targeted only military secrets, but also economic and technological intelligence.
Taiwan’s military, which has set up an ad hoc group for damage control, warns that China has not stopped infiltrating into Taiwan despite warmer relations in recent years.
Lo’s arrest came amid fast-warming ties between Taipei and Beijing following the 2008 election of Beijing-friendly Ma Ying-jeou as president.
Taiwan and China have spied on each other ever since they split in 1949 at the end of a civil war. Beijing still regards the island as part of its territory awaiting reunification, if necessary by forc
BHP Billiton chief executive Marius Kloppers was willing to trade secrets with the United States and feared espionage from the Chinese, Rio Tinto Ltd and the Australian government, according to an American secret diplomatic cable released by WikiLeaks and reported on by Fairfax Media.
Beginning in a June 4, 2009 meeting between Mr Kloppers and US consul-general Michael Thurston and in subsequent discussions, Mr Kloppers asked US diplomats for insights on China’s intentions and said he would be willing to trade secrets in order to obtain information on China, according to Fairfax reports on the secret US cable.
In addition, Mr Kloppers reportedly took credit for derailing the controversial plan by Chinese state-owned Chinalco to invest $23.9 billion in Rio Tinto. His claim of having personally quashed the investment came a day before the deal collapsed, the report said.
Mr Kloppers, who described himself as only nominally Australian, also reportedly complained about surveillance and even espionage by the Chinese, Rio Tinto and the Australian government, describing doing business in Melbourne as being similar to playing poker when everyone can see your cards, Fairfax reported.
The cables describe Mr Kloppers as saying the Australian government was wary of too much Chinese investment and would prevent Chinese state-owned firms from owning Australia’s largest mining companies such as BHP, Rio Tinto and Woodside Petroleum Ltd, according to Fairfax.
“Clearly frustrated, Mr Kloppers noted that doing business in Melbourne (BHP’s Australian headquarters) is like ‘playing poker when everyone can see your cards’,” it quoted a US envoy to Australia, Michael Thurston, as saying in a cable.
“(Mr Kloppers) complained that Chinese and industrial surveillance is abundant and went so far as to ask consul-general (Thurston) several times about his insights into Chinese intentions, offering to trade confidences,” the cable said.
BHP Billiton declined to comment.
BHP Billiton and Rio Tinto each count China as their biggest markets but relations with China have sometimes been tense, especially in the iron ore market which Rio Tinto and BHP Billiton dominate along with Brazil’s Vale .
Tensions peaked in 2009 when Chinese steel producers failed to clinch an annual pricing deal and a Shanghai court jailed four Rio Tinto employees, including Australian citizen Stern Hu, for stealing commercial secrets and taking bribes.
Their arrest at the height of fraught 2009 iron ore price negotiations strained ties between Australia and China, and shocked the Chinese steel industry.
BHP Billiton had already riled Chinese steel mills with its 2008 bid to take over Rio Tinto, though BHP Billiton later dropped its offer in the face of stiff global opposition among competition regulators. BHP Billiton upset the mills again in 2009 with a proposed iron ore joint venture with Rio Tinto, a deal that also floundered over anti-competition concerns.
Between those two failed attempts to forge a BHP Billiton-Rio Tinto alliance, Chinese state-owned metals conglomerate Chinalco proposed a $US23.9 billion partnership with Rio Tinto, which Rio Tinto initially accepted, but later rejected.
Mr Kloppers took personal credit for quashing that deal, according to Wikileaks, Fairfax reported.
“Australia does not want to become an open pit in the southern-most province of China,” Mr Kloppers said at the time, according to the report.
Global miner BHP Billiton Ltd’s boss, Marius Kloppers, confirmed he had harboured concerns about Chinese and competitor espionage on his business, citing it as a reason behind his push for market pricing of key commodities.
Mr Kloppers, who runs the world’s biggest miner, once offered to trade intelligence on China with Washington after telling a US diplomat about the extent of Chinese surveillance of his firm, reports claimed said this week.
The Sydney Morning Herald, citing diplomatic cables obtained from WikiLeaks, said Mr Kloppers had confessed his concerns to the Australia-based envoy in 2009, at a time when he was pushing Chinese customers to switch from closed-door annual price negotiations to more market-based pricing.
Asked on Wednesday to confirm whether he was concerned about espionage from China and from competitors such as rival miner Rio Tinto , Kloppers told an earnings briefing: “I would rather like to put that in a positive.”
“One of the reasons we have pushed so hard for market-clearing prices is so that these sorts of things are not a concern, because if you sell your product at the market-clearing price, that everybody can read off screens, it minimises any impact of differential information that the one party or the other may hold,” he said.
“So you produce at full capacity and you sell at the market price and you should, from those comments, really understand why we have pushed so hard to get the market-clearing price.”
Mr Kloppers led a successful battle over the past two years to move pricing of iron ore sales away from annual negotiations, despite resistance from Chinese steel mills which buy more than $US25 billion ($A24.9 billion) of the raw material a year from Australia alone.
Negotiators involved in the annual talks – a system now replace by quarterly market-based pricing – relied heavily on good industry intelligence to strike the best annual bargain, and the negotiations were often tense and full of intrigue.
Tensions peaked in 2009 when Chinese steel producers failed to clinch an annual pricing deal and a Shanghai court jailed four Rio Tinto Ltd employees, including Australian citizen Stern Hu, for stealing commercial secrets and taking bribes.
The arrest of Mr Hu and three Chinese colleagues at the height of fraught iron ore price negotiations strained ties between Australia and China, and shocked the Chinese steel industry.
Experts say the absence of dividing lines between the state and corporations in countries such as China, coupled with digital technology that can make it easy to steal huge volumes of information, increases the risks companies face.
Last month, French President Nicolas Sarkozy’s office asked French intelligence to probe suspected industrial espionage at car giant Renault with a possible Chinese link, a government source told Reuters. China denies involvement .
Renault is far from the only suspected case. US cables released by WikiLeaks show diplomats blaming China for hacking into Google systems that prompted the Internet giant to pull back from mainland China.
Some analysts also suspect information theft may be helping China close the gap faster than expected as it builds a “stealth fighter” to rival Lockheed Martin’s F-22.
E-mail is still the top attack method for targeted and espionage attacks, says Mikko Hypponen, chief research officer at security firm F-Secure.
Chat, instant messaging and web-based attacks are still in the minority, he told delegates at the RSA Conference 2011 in San Francisco.
The reason espionage is increasingly moving online, he said, is simply that most information is now stored digitally, and it is possible to steal information without necessarily gaining access to the target organisations.
Typically these are targeted attacks, where an individual within an organisation will receive an e-mail that appears to come from someone they know.
The e-mails also typically have a document attached that makes sense and is relevant to the recipient that is often a copy of actual documents used by the supposed sender’s organisation.
The recipient views the document, but is totally unaware that malware is being installed in the background that creates a backdoor, said Hypponen.
“This backdoor not only gives the attacker access to the victim’s system, but also to everything on the network that they are authorised to access,” he said.
Even though Word and other document types are used, PDF is the most common document used for targeted attacks.
“Attackers exploit vulnerabilities in Adobe Reader to install the malicious code on the victim’s machine,” said Hypponen.
In the face of these types of targeted espionage attacks, businesses should make employees aware of the tell-tale signs.
If documents take longer than usual to appear, it could be that a backdoor is being installed before a fake document is displayed, said Hypponen.
A difference in the name of the attached file and the file that is eventually displayed, is also an indicator of a potential targeted attack.
Anyone who suspects that e-mail may be illegitimate should check with the supposed sender to see if they did indeed send the e-mail in question, preferably before they open the attachment, he said.
Businesses can also better detect targeted attacks by monitoring the sites to which employee computers are connecting, said Hypponen.
In addition to several well-known malicious sites, businesses can monitor for sites that use variations on the spelling of legitimate sites.
“If an employee’s computer is connecting to a site like www.kabspersky.com, it is likely to be a malicious site,” said Hypponen.
It is important for businesses to ensure security patching is always up to date and they are monitoring all connections made from corporate computers, he said.
Hypponen also recommends businesses use an alternative PDF reader than the product from Adobe. His reasoning is that other readers do not have the same install base and are therefore less targeted.
