Was China behind cyberattacks on U.S. oil industry?
By MARK CLAYTON
HOUSTON — At least three U.S. oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in the growing global war of Internet espionage.
The oil- and gas-industry breaches, the mere existence of which has been a closely guarded secret of oil companies and federal authorities, were focused on one of the crown jewels of the industry: valuable “bid data” detailing the quantity, value and location of oil discoveries worldwide, sources familiar with the attacks say and documents obtained by the Monitor show.
The companies — Marathon Oil, ExxonMobil and ConocoPhillips — didn’t realize the full extent of the attacks, which occurred in 2008, until the FBI alerted them that year and in early 2009. Federal officials told the companies proprietary information had been flowing out, including to computers overseas, a source familiar with the attacks says and documents show.
The data included e-mail passwords, messages, and other information tied to executives with access to proprietary exploration and discovery information, the source says.
Though China’s involvement in the attacks is far from certain, at least some data were detected flowing from one oil company computer to a computer in China, a document indicates. Another oil company’s security personnel privately referred to the breaches in one of the documents as the “China virus.”
“What these guys [corporate officials] don’t realize, because nobody tells them, is that a major foreign intelligence agency has taken control of major portions of their network,” says the source familiar with the attacks. “You can’t get rid of this attacker very easily. It doesn’t work like a normal virus. We’ve never seen anything this clever, this tenacious.”
Neither Marathon Oil, Exxon- Mobil, nor ConocoPhillips would comment on the attacks or confirm that they had happened. But the breaches, which left dozens of computers and their data vulnerable in those companies’ global networks, were confirmed over a five-month Monitor investigation in interviews with dozens of oil- industry insiders, cybersecurity experts, former government officials and by documents describing the attacks.
More sophisticated
The new type of attack involves custom-made spyware that is virtually undetectable by antivirus and other electronic defenses traditionally used by corporations. Experts say the new cyberburglary tools pose a serious threat to corporate America and the long-term competitiveness of the nation.
“We’ve had friends in the petroleum industry express grave concern because they’ve spent hundreds of millions of dollars finding out where the next big oil discovery will be,” says Ed Skoudis, cofounder of InGuardians, a computer security firm, who was called last year to help a big oil-and-gas company secure its bid data after its computer network was infiltrated. He wouldn’t name the company. “The attacker would be saving huge expenses for himself by stealing that data.”
Not so long ago, computer hacking mainly was the handiwork of individuals with overactive imaginations and good programming skills, and they often broke into computers for sport. More recently, people with more-sinister motives — including organized criminal gangs — have made an industry out of stealing credit-card information and personal identities for quick cash.
But lurking in the cybershadows is a far more insidious and sophisticated form of computer espionage that, until the recent exposure by search-engine titan Google, was little publicized and often went undetected. Such attackers represent the elite — a dark army of cyberspies targeting the heart of corporations around the world where trade secrets, proprietary data, and cutting-edge technologies lie locked away in digital fortresses.
Some of these attacks are believed to be carried out by foreign governments or their surrogates.
China, Russia in forefront
Though most major nations, including the U.S., are conducting Internet espionage, experts say two traditional U.S. adversaries, China and Russia, are among the most aggressive and adept at carrying out such attacks. Both countries are known to have large communities of hackers and a deep base of computer- security expertise.
“China, more so than Russia, has a large number of hacker clubs watched closely by the government,” says O. Sami Saydjari, a former Department of Defense employee who runs Cyber Defense Agency, a Wisconsin-based security firm. “These talent pools are all potential recruits for China’s professional cyberwarfare units. We strongly suspect they encourage their hacker groups to go out and attack foreign entities and get practice.”
Spying on other countries’ defense agencies and diplomatic corps undoubtedly remains a focus of Internet espionage. But cyberspies are increasingly targeting strategically important businesses, both because of the information to be gleaned and because their defenses are often easier to penetrate.
Google has said it found evidence of at least 20 companies in an array of U.S. industries that had been infiltrated by attacks from China. Was the Chinese government involved? China adamantly says “no.” Whether it was or not, the Google breach reveals how pervasive the new espionage war is becoming and how sophisticated the tools are with which it is being waged.
But before Google there was Marathon.
Fake e-mails
On Nov. 13, 2008, a senior executive at Marathon Oil in Houston looked at a strange e-mail on her screen. It appeared to be a response to a message she had sent a corporate colleague overseas. The only problem was, according to a source familiar with the incident who asked for anonymity, she hadn’t sent the original e-mail.
Yet there, on her screen, was a “reply” to what looked like her request for a comment on the “Emergency Economic Stabilization Act” — the federal bailout of U.S. banks. And the original e-mail contained something else: an embedded Internet link. Recognizing the danger, the executive sent out an internal warning that the e-mail was fake and may contain a computer virus.
But, according to the source and documents obtained by the Monitor, her response was too late. The fake had already been forwarded to other people — and someone had clicked on the link it contained. Instantly, an unseen spy program started spreading stealthily across Marathon’s global computer network.
Nearly identical fake e-mails that appeared to come from senior executives were also sent to colleagues in key posts at Exxon- Mobil and ConocoPhillips — all containing a request for them to analyze the Economic Stabilization Act noted on the subject line, a source familiar with the attacks says.
How successful the cyberspies ultimately were — whoever they were — isn’t publicly known.
Many experts say the theft of this kind of information — about, for instance, the temperature and valve settings of chemical-plant processes or the source code of a software company — can give competitors an advantage, and over time could degrade America’s global economic competitiveness.