Security Experts:

Coordinated Cyber Attacks Hit Chemical and Defense Firms

At Least 48 Companies Targeted in Cyber Attacks Across Several Industries

Attackers have been targeting chemical and defense companies around the world in a cyber-campaign designed to steal information.

Nitro Attacks Hit Chemical FirmsThe attacks have been dubbed ‘Nitro’ by Symantec, which released a whitepaper on the situation earlier today. According to researchers, the campaign began in late April, and was initially focused on human rights organizations and later the motor industry. In late July, the attackers moved on to the chemical industry and began targeting 29 companies.

At least 48 companies are believed to have been targeted across various verticals, including the defense industry, Symantec found. Among the victims are multiple Fortune 100 companies involved in research and development of chemical compounds as well as companies that develop materials for military vehicles. Geographically, the attacks infected machines all across the world, though the largest percentages were in the United States and Bangladesh.

The attacks infected computers with the well-known PoisonIvy Trojan. The ruse was two-fold. In one set of attacks, the hackers sent emails to specific sets of recipients in the organizations that typically purported to be meeting invitations from known business partners. In the second set of attacks, emails were sent to a broad range of people and purported to be a security update. In both cases, the emails contained an attachment carrying the Trojan.

Once on the system, the malware opened a backdoor and contacted a command and control (C&C) server on TCP port 80. Using the C&C server, the attackers then instructed the compromised computer to provide the infected computer’s IP address, the names of all other computers in the workgroup or domain and dumps of Windows cached password hashes, according to Symantec.

“By using access to additional computers through the currently logged on user or cracked passwords through dumped hashes, the attackers then began traversing the network infecting additional computers,” Symantec researchers wrote. “Typically, their primary goal is to obtain domain administrator credentials and/or gain access to a system storing intellectual property…While the behavior of the attackers differs slightly in each compromise, generally once the attackers have identified the desired intellectual property, they copy the content to archives on internal systems they use as internal staging servers. This content is then uploaded to a remote site outside of the compromised organization completing the attack.”

The attacks were traced back to a virtual private server (VPS) in the United States. According to Symantec, the system was owned by a “20-something male located in the Hebei region in China” researchers have nicknamed ‘Covert Grove’ based on a literal translation of his name.  Symantec was quick to add however that the company has been unable to determine Covert Grove’s culpability in the attacks.

“The methods described by Symantec are consistent with the APT methods used in other attacks such as Shady Rat and RSA,” Invincea Chief Scientist Anup Ghosh told SecurityWeek. “In particular, the reconnaissance, research, and spear phish is consistent with what we see in targeted attacks against organizations. The use of Poison Ivy, although quite unoriginal, is also consistent with these targeted attacks…since it works effectively and cheaply, why escalate to more advanced attacks that would burn (zero-days)?”

Meanwhile, Symantec also released a survey of critical infrastructure companies that revealed many companies are not participating in government critical infrastructure protection programs. In fact, the survey – which fielded answers from 3,475 organizations in 37 countries – found the number of companies partially or completely engaged in such programs fell from 56 percent in 2010 to 37 percent in 2011.

“The findings of this survey are somewhat alarming, given recent attacks like Nitro and Duqu that have targeted critical infrastructure providers,” said Dean Turner, director, Global Intelligence Network for Symantec, in a statement.  “Having said that, limitations on manpower and resources as mentioned by respondents help explain why critical infrastructure providers have had to prioritize and focus their efforts on more day-to-day cyber threats...(However businesses) and governments around the world should be very aggressive in their efforts to promote and coordinate protection of critical industry cyber networks.  These latest attacks are likely just the beginning of more targeted attacks directed at critical infrastructure.”