Skip to content


Operation Sloppy Night Dragon

They should have called it Operation Sloppy Joe.

McAfee is stirring cyberwar book authors into high alert again. Expect to see the authors issue new warnings, recommend the purchase new products (probably made in China), and tell you to buy their book(s) and give lots of attention to a report titled: “Global Energy Cyberattacks: Night Dragon

I will cover this in my presentation next week at BSidesSF (Dr. Stuxlove or how I learned to stop worrying and love the worm) but here’s a sneak preview.

McAfee has determined that all of the identified data exfiltration activity occurred from Beijing-based IP addresses and operated inside the victim companies weekdays from 9:00 a.m. to 5:00 p.m. Beijing time, which also suggests that the involved individuals were “company men” working on a regular job, rather than freelance or unprofessional hackers.

That is not the conclusion I would draw from the same data. They are making some funny and highly improbable assumptions:

  1. The attackers are male (Ok, cheap shot, I know, but srsly “company men?” Is this 1950?)
  2. The attacks correspond to 9-5 daytime in Beijing, so they must be related to a regular Joe. Get it? Sloppy Joe. Why not assume the opposite — night-time attacks from freelance or unprofessional hackers? Heck, why not assume professional night-time hackers using Beijing proxies? And they might not be sloppy so much as cost-effective. They still went undiscovered for a good long time, and saved money over more secretive methods.
  3. The attackers used Chinese language attack tools, therefore they must be Chinese. This is a reverse language bias that brings back memories of L0phtCrack. It only ran in English. I mean if you ran L0phtCrack, it made you an American, right? Neat how that works. It used to be so hard to get Chinese citizenship. Now you just run Hookmsgina and blammo! You start waking up as a company man for 9am Beijing time — metamorphosis.

Seriously, though. The evidence continues to show that innovation is still alive and well as a form of imitation, as I have written before. Competitors will try to get inside information to copy and improve upon their own processes and products without the cost of invention. This has been a risk since the beginning of competition. Are we at cyberwar yet?

There is a reason the iPhone adopted the Garmin-like touch screen and form-factor and added a Google-like scrolling interface…it could be the very same reason someone is trying to study critical infrastructure in America. Or they might want to get insider information so their next round of surveillance/control is more sophisticated. Or they might want to get more power and money for anti-Chinese cyber programs. The problem is that the report gives a lot of room for interpretation and pot stirring instead of a clear case.

Posted in Security.


2 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Pete Simpson says

    Great to see some evidence of rational thinking on this issue. It is a ridiculously simple exercise to implicate the Chinese. I have my suspicions of the true sources of the attackers, but will keep them to myself. Let the herd be fooled and mosey on in blissful ignorance.

Continuing the Discussion

  1. Tweets that mention Operation Sloppy Night Dragon – flyingpenguin -- Topsy.com linked to this post on February 12, 2011

    […] This post was mentioned on Twitter by Cyber Informer and Win Security, davi ottenheimer. davi ottenheimer said: Operation Sloppy Night Dragon http://goo.gl/fb/cUhiq […]



Some HTML is OK

or, reply to this post via trackback.