After gaining a foothold on oil executives’ laptops, the hackers were able to get direct access to the companies' networks – bypassing firewalls and other defenses, McAfee said. The hackers then began downloading “files of interest focused on operational oil and gas field production systems and financial documents related to field exploration and bidding,” it said.
In some instances, however, the cyberattackers also collected data from industrial control systems that can contain proprietary production data, such as pressure and temperature settings and valve openings needed to produce a product properly. That information is not only useful for competitors; it also could be used by saboteurs to create explosions or to tamper with product quality, although McAfee reported no signs of that kind of activity.
While most hackers cover their tracks by threading their way through a maze of computer servers spanning many nations, the ones in this case left a clear trail, said McAfee. China is definitely the origin of these cyberespionage attacks, it added.
“We have strong evidence suggesting that the attackers were based in China,” Mr. Kurtz wrote. “The tools, techniques, and network activities used in these attacks originate primarily in China. These tools are widely available on the Chinese Web forums and tend to be used extensively by Chinese hacker groups.”
McAfee's report did not identify the names or the number of oil companies involved. The Wall Street Journal, however, on Thursday reported that five oil companies were hit by the attacks.
In January 2010, a Monitor investigative report found that cyberespionage attacks believed to come from China had infiltrated computer networks belonging to at least three global oil giants. Cybersecurity experts say the McAfee findings strongly echo that earlier Monitor report.