'Nitro' Hackers Rifle Through Chemical Companies' Secret Data
Nov 1, 2011 12:10 PM PT
From April through mid-September, with a 45-day hiatus in between, hackers were busy attacking a series of targets, culminating in the chemical and defense industries, Symantec has reported.
A total of 29 chemical industry companies and 19 others, mainly in the defense sector, were hit.
The hackers allegedly stole intellectual property from their victims.
Symantec has nicknamed the attacks on the chemical industry "Nitro."
The attackers have apparently used the same methodology as that employed to breach the systems of security vendor RSA back in March.
They sent emails that appeared to be from a trusted source to select people. Those emails were sent with an attachment that downloaded information-stealing malware when recipients clicked on it.
The attacks were traced back to a virtual private server (VPS) located in the United States that was owned by a young man in China's Hebei province who has some computer expertise, according to the report.
However, the suspect, whom Symantec has dubbed "Covert Grove," appears to have a legitimate reason for using the U.S.-based VPS.
How can enterprises protect themselves from this kind of attack?
"Don't open unexpected attachments, use data loss protection techniques to safeguard intellectual property, and use device control to prevent use of unauthorized removable devices within networks," Jeff Wilhelm, a senior researcher with Symantec Security Response, told TechNewsWorld.
In all, 29 chemical industry companies, including multiple Fortune 100 companies conducting research and development on chemical compounds and advanced materials, were hit, Symantec said.
Another 19, including companies that develop advanced materials primarily for military vehicles, were also hit.
The attackers appear to be collecting intellectual property from their victims.
After researching potential victims, the attackers sent emails targeted specifically to 100 to 500 people in the companies selected.
The emails came with an attachment that contained Poison Ivy, a backdoor Trojan that consists of a remote administration utility which bypasses normal security mechanisms to take over a program, a computer or a network.
The Trojan roamed through the network stealing information, collated that on an internal server and sent the data from that server to an outside server.
All Good Things Come in Time
Symantec was able to track activity in the command and control servers used in the attacks back to April, Wilhelm said, but "did not become fully aware of the scope of the threat until late September.
Once it realized that the attacks were a coordinated malware campaign, "we worked closely with partners to shut the botnet down as quickly as possible," Wilhelm continued.
There's so much malware being detected daily that "it can be difficult to distinguish a coordinated malware campaign from a one-off threat," Wilhelm added.