Chinese cyberspying in the oil fields

A China-based man named Song Zhiyue has provided cheap U.S. computer servers for hackers who used everyday tools to infiltrate five multinational energy companies for as many as four years, according to a report issued today by McAfee. Song, based in the Shandong Province’s Heze City, in eastern China, is one of an undetermined number of other hacking specialists working normal business hours in Beijing to infiltrate the computer systems of energy companies in four countries —  the United States, Taiwan, Greece and Kazakhstan. McAfee did not identify the companies but said that Song’s operation and that of the hackers has not been shut down.

The attacks are a sign of the increasing difficulty and high stakes involved in oil and gas exploration, and the extent to which some companies and countries are willing to go to get access to the fields. The purpose of the octopus-like hacking was a system that mined financial and exploration data on oil- and gas-fields that was critical to bidding for the fields, McAfee said. The attacks suggest that officials or companies in China were attempting to understand fields that were or going to be under bid; the financial and other plans of rivals that might bid on the same fields; and the equipment already at the fields or that might be used to explore or produce there.

Such information would obviously be highly valuable in a bidding contest. In addition to the five companies identified, the hackers got into the systems of seven other as-yet unidentified companies.

A few days ago, Mara Hvistendahl wrote a piece here at Foreign Policy describing the free-lance army of Chinese  hackers out there, some of them prepared at universities but otherwise self-trained and ready to infiltrate anyone’s activities. That demonstrates the size of the talent pool for this brand of breaking-and-entering. But a different kind of skill — a sophistication with oilfield contracts and value — would be necessary in this case to make any use of what they found.

McAfee identified Song, his location, that of the hackers and the hours they work (9 a.m. to 5 p.m. Beijing time) through a study of the codes and IP addresses left behind and used by the hacking system. Song provided the servers for as little as $10 for 100 megabytes of space, McAfee said.If anything came of what these enthusiasts turned up, they were from a finance and specifically energy finance background.

As far as I can tell, The Wall Street Journal’s Nathan Hodge and Adam Entous are the only reporters to have Song’s actual identity — the McAfee report does not include it. Hodge and Entous contacted Chevron, the biggest multinational oil player in Kazakhstan. The company said it isn’t aware of hackers having infiltrated any of its computer systems. Both BP and ExxonMobil declined to comment to the paper.

George Kurtz, McAfee’s chief technology officer, said in a blog post that the hackers used totally ordinary and long-known methods, which is why they were able to fly under the radar screen for so long. What are some of the tell-tale signs that the attacks were based in China? "The tools, techniques, and network activities used in these attacks originate primarily in China," Kurtz said. "These tools are widely available on the Chinese Web forums and tend to be used extensively by Chinese hacker groups."