Senior executives at the three of the world's largest oil and natural gas companies were targeted by a highly sophisticated and aggressive malware campaign in 2008 that was designed to steal key proprietary data—including multi-million-dollar research to locate the next great oil discovery—according to a report this week on the Christian Science Monitor Web site.

ExxonMobil (NYSE: XOM), ConocoPhillips (NYSE: COP) and Marathon Oil (NYSE: MRO) executives who were unwittingly duped by unsolicited e-mails caring the data-extracting malware were finally notified of the scam in early 2009, according to unnamed law enforcement and IT security experts quoted in the article.

Security experts familiar with the attacks said this new form of corporate and, quite possibly, nation-sponsored espionage utilized custom spyware that is virtually undetectable by antivirus software applications used by the vast majority of large companies around the globe.


Targeting senior executives in a company is not new, but the level of sophistication of these attacks take the concept to a whole new level.

This particular wave of attacks focused on proprietary data, including "bid data"—the files containing details on the quantity, value and location of oil discoveries around the word. Officials close to the investigation said some of the attacks appeared to originate in China and that servers located in the Communist nation were used to store some of the stolen data.

For now, officials at all three oil companies are refusing to comment on the attacks.

"What these guys [corporate officials] don't realize, because nobody tells them, is that a major foreign intelligence agency has taken control of major portions of their network," a person said to be familiar with the attacks told the CSM. "You can't get rid of this attacker very easily. It doesn't work like a normal virus. We've never seen anything this clever, this tenacious."

Those sentiments compelled security software giant McAfee on Tuesday to notify InternetNews.com and other media outlets that on Thursday it and the Center for Strategic and International Studies will reveal the results of an extensive global study chronicling the activities and impact of those perpetrating cyber attacks against critical infrastructure operators around the world.

"Their networks and control systems are under repeated cyber attacks, such as the recent attacks on Exxon and ConocoPhillips," McAfee said in the e-mailed statement. "(The report) will reveal cost and impact of cyber attacks on critical infrastructure such as electrical grids, oil and gas production, telecommunications and transportation networks."

McAfee and other leading security software vendors have repeatedly warned enterprise customers that coordinated hacking attacks using sophisticated malware threaten to undermine not only individual data security but American companies' ability to remain competitive in the global economy.

This latest security bombshell comes on the heels of this month's revelation that the computer networks owned and operated by Google and more than two dozen other U.S. companies were infiltrated by Chinese hackers—or possibly by hackers hired by or sympathetic to the Chinese government—through a flaw in Microsoft's Internet Explorer browser.

Chinese officials have denied any involvement in the attacks.

Details of the attack

Investigators told the oil company honchos that proprietary data, including e-mail passwords, messages and other sensitive data pertaining to oil exploration and discovery, was passed on to computers overseas including—in at least one instance—to a computer in China.

In one instance cited by officials close to the investigation, a senior executive at Marathon Oil received an e-mail that appeared to be a reply to an e-mail she had sent to a colleague based in another country. However, the executive knew something was amiss because the subject line read "Emergency Economic Stabilization Act," and she knew that she had never sent the original e-mail.

This particularly executive was savvy enough to avoid clicking on the embedded link in the body of the e-mail but others within Marathon did, allowing hackers to access and surveil a vast and potentially crippling reservoir of competitive proprietary information.

Executives at ExxonMobil and ConocoPhillips were targeted with almost identical versions of the e-mail scam, sources told the CSM.

"The recent cyber attacks attributed to China are targeting critical information in corporate databases," Thom VanHorn, vice president of marketing at security software vendor Application Security, said in an e-mail to InternetNews.com. "These attackers are after the sensitive and proprietary information that differentiate these large companies and provide them with competitive advantage."

"This news highlights an attack on oil companies, but attacks are occurring every day and no industry is immune," he added. "Industry research shows that today’s antivirus [programs] may miss 20 percent of Trojans. With that in mind, it is critical that organizations lock down and monitor the data where it is stored—in the database," he added.

Investigators looking into the oil company attacks said the attackers were definitely targeting specific information—the bid data—which would be especially valuable to state-owned energy companies looking for new oil reserves without having to invest millions in exploration costs.

In its latest cyber attack report, McAfee researchers warned that number of incidents and network infiltrations that appear to be linked to nation-states and political goals continue to increase.

"With critical infrastructure as likely targets of cyber attacks, and private company ownership of many of the information systems in these sectors, private companies will likely be caught in the crossfire," the McAfee report said. "There is active debate as to when a cyber attack reaches the threshold of damage and disruption to warrant being categorized as cyber warfare."

Larry Barrett is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.