Threat Management, Critical Infrastructure Security, Threat Intelligence, Malware, Threat Management

“Nitro” attacks target 29 firms in chemical sector

Hackers this summer targeted at least 29 companies in the chemical sector during an attack campaign aimed at stealing intellectual property (IP), such as design documents, formulas and manufacturing processes, according to a new report from Symantec.

The affected firms, not identified by name, include multiple Fortune 100 companies involved in research and development of chemical compounds and advanced materials, according to the report, released Tuesday. Companies that develop advanced materials for military vehicles and others involved in developing manufacturing infrastructure were also targeted.

“I would assume that at least some organizations lost some data.”

– Vikram Thakur, principal security response manager at Symantec

The attacks, dubbed “Nitro” by Symantec researchers, began in late July and continued until September. The adversaries first researched their targets, then sent them specially crafted emails purporting to be a security update or a meeting invitation from an established business partner. An attachment contained PoisonIvy, a common backdoor trojan.

Vikram Thakur, principal security response manager at Symantec, told on Tuesday that the attacks, which did not leverage any zero-day vulnerabilities, were not particularly sophisticated. Once PoisonIvy was installed on a system, it contacted the attackers' command-and-control (C&C) server, through which attackers instructed the machine to send back its IP address, the names of all other computers in the workgroup or domain, and dumps of Windows-cached password hashes, according to the report.

Only the affected companies know for sure whether the offenders were able to successfully exfiltrate any IP, Thakur said.

“I would assume that at least some organizations lost some data,” Thakur said. “I'm quite certain that's the case.”

Before targeting those in the chemical industry, the attackers focused on human rights-related, non-governmental organizations in similar attacks that lasted from April to early May, he added. Then, in late May, they began striking the motor industry, before moving onto the chemical sector in July.

“It's important for organizations out there to know that targeted attacks aren't limited to government or military infrastructures,” Thakur said.

The majority of infected machines were located in the United States, Bangladesh and the U.K., the report states. Overall, infections spanned the globe, however.

The attacks were traced back to a 20-something male, who researchers call "Covert Grove" and who is believed to reside in the Hebei region in China, according to the report. Researchers do not know if this person was acting alone or was contracted to carry out the attack.

Researchers discovered a number of different C&C domains and IP addresses used to communicate with infected machines. Most of these points of origin have since been taken down after Symantec researchers alerted the infrastructure operators.

“From the most part we were able to pull the plug from the attackers' control,” Thakur said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.