Connect with us

Hi, what are you looking for?


Network Security

Coordinated Cyber Attacks Hit Chemical and Defense Firms

At Least 48 Companies Targeted in Cyber Attacks Across Several Industries

Attackers have been targeting chemical and defense companies around the world in a cyber-campaign designed to steal information.

At Least 48 Companies Targeted in Cyber Attacks Across Several Industries

Attackers have been targeting chemical and defense companies around the world in a cyber-campaign designed to steal information.

Nitro Attacks Hit Chemical FirmsThe attacks have been dubbed ‘Nitro’ by Symantec, which released a whitepaper on the situation earlier today. According to researchers, the campaign began in late April, and was initially focused on human rights organizations and later the motor industry. In late July, the attackers moved on to the chemical industry and began targeting 29 companies.

At least 48 companies are believed to have been targeted across various verticals, including the defense industry, Symantec found. Among the victims are multiple Fortune 100 companies involved in research and development of chemical compounds as well as companies that develop materials for military vehicles. Geographically, the attacks infected machines all across the world, though the largest percentages were in the United States and Bangladesh.

The attacks infected computers with the well-known PoisonIvy Trojan. The ruse was two-fold. In one set of attacks, the hackers sent emails to specific sets of recipients in the organizations that typically purported to be meeting invitations from known business partners. In the second set of attacks, emails were sent to a broad range of people and purported to be a security update. In both cases, the emails contained an attachment carrying the Trojan.

Once on the system, the malware opened a backdoor and contacted a command and control (C&C) server on TCP port 80. Using the C&C server, the attackers then instructed the compromised computer to provide the infected computer’s IP address, the names of all other computers in the workgroup or domain and dumps of Windows cached password hashes, according to Symantec.

“By using access to additional computers through the currently logged on user or cracked passwords through dumped hashes, the attackers then began traversing the network infecting additional computers,” Symantec researchers wrote. “Typically, their primary goal is to obtain domain administrator credentials and/or gain access to a system storing intellectual property…While the behavior of the attackers differs slightly in each compromise, generally once the attackers have identified the desired intellectual property, they copy the content to archives on internal systems they use as internal staging servers. This content is then uploaded to a remote site outside of the compromised organization completing the attack.”

The attacks were traced back to a virtual private server (VPS) in the United States. According to Symantec, the system was owned by a “20-something male located in the Hebei region in China” researchers have nicknamed ‘Covert Grove’ based on a literal translation of his name.  Symantec was quick to add however that the company has been unable to determine Covert Grove’s culpability in the attacks.

Advertisement. Scroll to continue reading.

“The methods described by Symantec are consistent with the APT methods used in other attacks such as Shady Rat and RSA,” Invincea Chief Scientist Anup Ghosh told SecurityWeek. “In particular, the reconnaissance, research, and spear phish is consistent with what we see in targeted attacks against organizations. The use of Poison Ivy, although quite unoriginal, is also consistent with these targeted attacks…since it works effectively and cheaply, why escalate to more advanced attacks that would burn (zero-days)?”

Meanwhile, Symantec also released a survey of critical infrastructure companies that revealed many companies are not participating in government critical infrastructure protection programs. In fact, the survey – which fielded answers from 3,475 organizations in 37 countries – found the number of companies partially or completely engaged in such programs fell from 56 percent in 2010 to 37 percent in 2011.

“The findings of this survey are somewhat alarming, given recent attacks like Nitro and Duqu that have targeted critical infrastructure providers,” said Dean Turner, director, Global Intelligence Network for Symantec, in a statement.  “Having said that, limitations on manpower and resources as mentioned by respondents help explain why critical infrastructure providers have had to prioritize and focus their efforts on more day-to-day cyber threats…(However businesses) and governments around the world should be very aggressive in their efforts to promote and coordinate protection of critical industry cyber networks.  These latest attacks are likely just the beginning of more targeted attacks directed at critical infrastructure.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...