Symantec has released a report outlining a “recent targeted attack campaign directed primarily at private companies involved in the research, development, and manufacture of chemicals and advanced materials.”
The attack, named Nitro, appears to have been aimed at collecting intellectual property including design documents, formulas and manufacturing processes.
Symantec believes this attack is merely the latest in a wave which started in July 2011 and continued through to mid September. The Command and Control (C&C) servers have been used as early as April 2011 when the focus was on human rights related NGOs. In late May the motor industry was the target. In July the most recent attack against the chemical industry began; this was the most prolonged attack.
Symantec has confirmed at least 29 companies in the chemical sector were targeted with 19 in a variety of other sectors including defence. In a single two week period recently “101 unique IP addresses contacted a C&C server with traffic consistent with an infected machine. These IPs represented 52 unique ISPs or organisations in 20 countries.
Companies affected include multiple Fortune 100s involved in the research and development on chemical compounds; those developing advanced materials primarily used in military vehicles; companies involved in developing manufacturing infrastructure for the chemical and advanced materials industry.
The attacks were launched over email. After researching targets an email was sent tailored to that target. In most companies only a handful of targets were identified but in others a scatter gun approach seems to have been used with one organisation seeing 500 individuals receive an email. The emails varied but two primary methodologies emerged:
- When a specific target was involved the mail often appeared to be a meeting invitation from established business partners
- The broader emails tended to be in the form of a necessary security update.
These emails then contained an executable attachment either as a password-protected archive containing the executable file or under the guise of a text file. The self-extracting executable contained PoisonIvy, a common backdoor Trojan developed by a Chinese speaker and freely available on the internet.
On opening the attachment PoisonIvy would immediately be installed. Once completed it contacted a C&C server on TCP port 80. The attackers could then instruct the computer to provide its IP address, names of other computers in the workgroup or domain and dumps of Windows cached password hashes. The attackers then had the capacity to infect additional computers on the network. Their primary goal seems to have been to “obtain domain administrator credentials and/ or gain access to a system storing intellectual property”. Once the data has been found, it was copied to archives on internal systems used as internal staging servers.
From here the content was then uploaded to a remote site outside of the compromised organisation.The majority of infected machines were in the US, Bangladesh and the UK. The organisations targeted were often in a different location to the infected machines but those based in the UK and US figure the highest. Symantec concludes that the attacks were not targeting companies in a particular country.
Symantec managed to trace the attacks to a VPS in the United States. This system was owned by a “20-something located in the Hebei region in China”. Based on the literal translation of his name he has been given the pseudonym Covert Grove. He claimed the VPS was purely for logging into the QQ instant message system and the static IP from the VPS allowed for this. Symantec was not able to ascertain whether Covert Grove worked alone or how large his role in the attacks was.
The fallout from this widespread attack is not yet known and might not be felt for a while.