Throwback Attack: Night Dragon, one of the first attacks to target the energy industry

Courtesy: Brett Sayles

In 2006, headlines showed that Google bought YouTube for $1.65 billion in stock, Nintendo released the Wii gaming console and NASA launched the New Horizons probe. However, many people weren’t aware of a major cybersecurity news story that was happening in the background. As early as in mid-2006, Night Dragon attacks had started hitting 71 organizations in various industries but didn’t make the headlines until August 2011 by Dmitri Alperovitch, vice president of threat research at cybersecurity company McAfee.

Back then, hackers traditionally targeted government and military computers, but they recently had expanded their sights to the commercial sector. Night Dragon was one of the first attacks focused specifically on the energy sector. According to a Forbes article, “Rather than leveraging comprised machines within the organization generically, Night Dragon is designed to extract specific pieces of information and intellectual property.”

Night Dragon attack details

Night Dragon is a Trojan backdoor without worm infection capabilities; therefore, it couldn’t self-propagate. Attackers installed Night Dragon on different computers using a Trojan dropper file (.exe) on a Windows share. They were able to combine social engineering with coordinated, targeted cyberattacks using trojans, remote control tools (RATs), spear phishing, vulnerability exploits in the Windows operating system and active directory compromises.

The attack sequence was strategically designed to get to the end goal of attaining executive, confidential information, such as sensitive competitive proprietary operations and project financing information about oil and gas field bids and operations. According to McAfee’s investigation, the attack sequence was as follows. First, the threat actors compromised public-facing web servers with SQL injection and installed malware and RATs. Next, they used the infected web servers to attack internal targets. Then, they started spear-phishing attacks on mobile worker laptops to infect VPN-connected accounts and gain additional internal access to be able to continue up the chain of command. They used password stealing tools to access other systems while also installing RATs and malware in the process. Finally, they were able to gain access to computers that belonged to executives to capture their email and files.

The attacks hit at least 71 organizations, such as defense contractors, businesses across the world, the United Nations and the International Olympic Committee, and all lost private information. These strikes proved how ineffective cybersecurity still was and set the foundation for how other attacks could evolve into something greater than just stealing information. Night Dragon demonstrated that attackers now could compromise ICSs, as well.

Behind the screens

McAfee’s investigation found that the hackers behind the attacks were based in China. They were leveraging widely-used Chinese-language hacking tools, and the IP addresses were originally traced to Beijing. While the hackers used multiple locations in China, the command-and-control servers were traced to a company, based in Heze City, Shandong Province.

No one was able to tell if the Chinese government had sanctioned these attacks or if it was a private company. The attackers reach extended to the United States and the Netherlands, as well as to individuals and executives in Kazakhstan, Taiwan and Greece.

Night Dragon controversy

There were some researchers that didn’t agree with McAfee’s conclusions about both the attackers’ origins and whether the attacks were truly related, since many of the components within the Night Dragon attacks were publicly available and known in hacking circles. Other cyberattacks that were happening around the same time were proving that the cybersecurity landscape was changing.

According to security expert Marc Maiffret, from eEye, “the fact that so many components within the Night Dragon attacks are publicly available and known in hacking circles makes it even harder to really say with any authority which attacks were related or not. This is again very different than the extremely targeted and customized nature of Operation Aurora – or even more so, Stuxnet.”

According to a DarkReading article, some industry observers believed that attacks such as Night Dragon, Project Aurora and Stuxnet were changing the nature of corporate data protection. “When Stuxnet first surfaced, there was mass speculation of insider involvement, because not just anyone has access to an industrial control system, to develop targeted malware against,” notes Eric Knapp, director of critical infrastructure markets at SIEM vendor NitroSecurity. “But the biggest threat about APTs is that there are no longer any guaranteed secrets. The rebels didn’t do a site survey to discover the Death Star’s weaknesses, they stole the plans. Stuxnet is readily available as a blueprint for new malware, and now the ‘inside information’ for a new control system infrastructure has been stolen.”


Night Dragon taught researchers many lessons. A primary one was that a skillful and persistent adversary could break into critical infrastructure using relatively simple techniques. The attacks also made a lasting impression on the lead investigator, Dave DeWalt, who created his own company called NightDragon as a tribute to the attacks. According to their website, the attack and subsequent investigation and response to the breach led by McAfee were a seminal moment in the history of the cybersecurity, safety, security and privacy industry. The NightDragon team invests and advises companies that they believe can help close the gap between offense and defense.

More and more threat actors arrive on the scene every day. In this case, more threats weren’t the only aftereffect. This attack had started opening the door to major nation-state cyberattacks. Cyberattacks of this kind, magnitude and reach were just beginning and have continued to evolve into what we see today.




Keep your finger on the pulse of top industry news