The Big Oil APT and Botnet Business

By Gunter Ollmann, DamballaThe recent Google Advanced Persistent Threat (APT) dialogue has been
hogging the press for a week now, and each day reveals new (and often
conflicting) insight. As I mentioned on Thursdays blog – “Preemptive Protection” Isn’t – If You’re Battling APT’s
– this particular attack doesn’t represent some new shift in tactics.
It’s not the first APT in the world, in fact I’m pretty sure it’s not
Google’s first exposure to APT’s, and I’m certain it isn’t going to the
last. In fact I’d say its a safe bet to say that there are several
other equivalent APT successes currently operating within Google’s
networks waiting to be discovered. Such is the state of the threat.

The recent Google Advanced Persistent Threat (APT) dialogue has been

hogging the press for a week now, and each day reveals new (and often
conflicting) insight. As I mentioned on Thursdays blog – “Preemptive Protection” Isn’t – If You’re Battling APT’s
– this particular attack doesn’t represent some new shift in tactics.
It’s not the first APT in the world, in fact I’m pretty sure it’s not
Google’s first exposure to APT’s, and I’m certain it isn’t going to the
last. In fact I’d say its a safe bet to say that there are several
other equivalent APT successes currently operating within Google’s
networks waiting to be discovered. Such is the state of the threat.

So, while the Google APT hogs the limelight, I found it rather topical to note the story on the CSMonitor.com site – US oil industry hit by cyberattacks: Was China involved?
– covering other successful APT campaigns going back a few years
victimizing Marathon Oil, ExxonMobil, and ConocoPhillips. If you have
the time, the story is worth the read and you’ll get a better
understanding of the breadth of attack vectors.

Given these timely public disclosures of successful APT’s and the
additional claims of Chinese involvement in the attacks, I thought it
would be valuable to share my own experiences and insight in to the
threats facing the major oil and petroleum organizations.

Truly big business attracts truly big crime. In fact, as I mentioned
to a colleague here in the office today, it’s practically impossible to
separate big business from government and separating state-sponsored
(or endorsed) actions from corporate espionage can be more a definition
of semantics than anything else at that level . For many countries, big
business doesn’t get much bigger than that of the major oil companies.
As such, the big oil and petroleum organizations are under a perpetual
barrage of sophisticated attacks.

As the target of a long-term, well funded and well organized APT
attack, the compromise of perimeter defenses is measured in weeks or
campaigns, rather than success probability metrics.Think of an APT as a
campaign of well researched attacks spread over an extended period of
time, coming from a broad spectrum of perceived sources.

Sophisticated malware lies at the heart of a successful APT
compromise. It’s the primary tool for navigating the victims network,
targeting specific hosts and information, and extracting the critical
data. Unfortunately for the good guys having to defend these networks,
“sophisticated” doesn’t mean exclusive nor hard to acquire. Getting
hold of the malware components necessary to carry out this kind of
attack is child’s play – literally! If you’re capable of using a search
engine and running a software package you’ve just downloaded, you have
all the skills necessary to craft, build and distribute a custom
malware agent used in the APT attacks that have made the news recently.
In fact you’ve had that very same capability for at least the last 3-4
years.

In
my time dealing with oil and petroleum companies in Europe, I found
that ATP’s were orchestrated from a variety of country sources – from
first-world through to third-world – often with a heavy regional
weighting. For example, oil and gas companies installing new pipelines
in and around the Mediterranean at the time seemed to attract RATs
(Remote Access Trojans) developed from DIY construction kits and
delivered by innovative drive-by-download vectors that had a healthy
dose of Cyrillic typefaces. Meanwhile some self-propagating worms that
had eventually made it to various UK offices (and were intercepted
there) appeared to try to use Windows exploits that that were optimized
for other regional flavors of the operating system (i.e. memory offsets
and keylogging keywords were for different language editions).

While the recent CSMonitor.com posting discusses APT’s focused on
the theft of oil exploration and discovery data, the targets of other
attacks I’ve seen (or heard about) are just as broad again. In fact,
some of the targets may not even be information – they may be to lay
the groundwork for a more damaging physical interruption of business.
For example, worm-based malware is a particular concern to the oil and
petroleum companies. Vast swathes of their network encompass mechanical
and industrial control systems – and embedded operating systems are a
fundamental feature of modern processing plants (and oil delivery).
Unfortunately it’s rather tricky to update 5+ year-old valve controller
systems everytime there’s a new security patch (multiple that problem
every 50 meters of a 1,500 km oil pipeline for example). Irrespective
of all the SCADA problems you may have heard about over the last few
years, unpatched embedded operating systems that can be exploited using
off-the-shelf hacking kits and remotely controlled using standard
botnet management tools will give even the best security consultant
prolonged heartburn.

Again though, and I’ve said this several times since Google’s public
announcement, APT’s aren’t a particular piece of malware or an attack
vector – they are coordinated attacks by motivated and professional
criminals. They will succeed in breaching their targets perimeter. They
will compromise internal hosts and embedded systems. Their criminal
operators are myopically focused on achieving their business objectives.

Detecting when they’ve breached your network defenses, when they’ve
circumvented your preemptive protection technologies, and when they’ve
compromised your computing systems is critical. And you know what? I
know how to detect them. Command and Control (CnC) communications are
the APT’s soft underbelly – whether you’re a search engine company, a
global petroleum company with revenues that rival the GDP of many small
countries, or just a company that holds the keys to secrets that
someone else wants and is determined to acquire – identification of
their cyber-polling or interactive digital chatter will unearth their
presence.

Gunter Ollmann is the VP of research at Damballa. This essay originally appeared on Damballa’s The Day Before Zero blog.

Suggested articles