'Nitro' hackers target chemical and defense companies, says Symantec
Researchers from Symantec say they uncovered a hacking campaign that targeted chemical and advanced material companies, including those that develop materials primarily for use in military vehicles. In a report released Oct. 31, Symantec security response personnel Eric Chien and Gavin O'Gorman say they observed a wave of attacks dubbed "Nitro" that took place from late July through mid-September.
Report authors describe an increasingly well-known attack vector--namely, that of a spear phishing email with an attachment containing a self-extracting executable. The email "often purported to be meeting invitations from established business partners," they note. At other times, it purported to be a security update.
The executable file contained PoisonIvy, a common backdoor Trojan developed by a Chinese hacker, they add. One installed, PoisonIvy contacted a command and control server on TCP port 80. Attackers then instructed the infected computer to provide its Internet protocol address, the name of all other computers in the same domain and dumps of Windows-cached password hashes.
Attackers' primary goal was to gain access to intellectual property, Chien and O'Gorman say. They traced the attacks back to a virtual private server located in the United States, one owned by "a 20-something male located in the Hebei region in China," they say.
Based on his Chinese handle, report authors dubbed him Covert Grove. In interactions with the authors, Covert Grove said he maintained a U.S.-based virtual private server for the sole purpose of maintaining a static IP address, which he needed in order to turn on a login restriction access feature on a popular Chinese instant messaging system known as QQ. Covert Grove's story "seems suspicious," the report says.
Further, when asked about his hacking skills, Covert Grove "immediately provided a contact that would perform 'hacking for hire'"--although whether he or another person would have conducted the hacking is unknown.
Of the organizations that had infected computers in contact with the command and control server in the 2 weeks Symantec monitored Nitro, 12 were American and 5 from the United Kingdom. Single organizations from Belgium, the Netherlands, Italy, Saudi Arabia and Japan were also affected, as were two form Denmark.
The researchers estimate that a total of 20 companies in the chemical sector were attacked and another 19 in other sectors, primarily the defense sector.
Report authors describe an increasingly well-known attack vector--namely, that of a spear phishing email with an attachment containing a self-extracting executable. The email "often purported to be meeting invitations from established business partners," they note. At other times, it purported to be a security update.
The executable file contained PoisonIvy, a common backdoor Trojan developed by a Chinese hacker, they add. One installed, PoisonIvy contacted a command and control server on TCP port 80. Attackers then instructed the infected computer to provide its Internet protocol address, the name of all other computers in the same domain and dumps of Windows-cached password hashes.
Attackers' primary goal was to gain access to intellectual property, Chien and O'Gorman say. They traced the attacks back to a virtual private server located in the United States, one owned by "a 20-something male located in the Hebei region in China," they say.
Based on his Chinese handle, report authors dubbed him Covert Grove. In interactions with the authors, Covert Grove said he maintained a U.S.-based virtual private server for the sole purpose of maintaining a static IP address, which he needed in order to turn on a login restriction access feature on a popular Chinese instant messaging system known as QQ. Covert Grove's story "seems suspicious," the report says.
Further, when asked about his hacking skills, Covert Grove "immediately provided a contact that would perform 'hacking for hire'"--although whether he or another person would have conducted the hacking is unknown.
Of the organizations that had infected computers in contact with the command and control server in the 2 weeks Symantec monitored Nitro, 12 were American and 5 from the United Kingdom. Single organizations from Belgium, the Netherlands, Italy, Saudi Arabia and Japan were also affected, as were two form Denmark.
The researchers estimate that a total of 20 companies in the chemical sector were attacked and another 19 in other sectors, primarily the defense sector.