Symantec details trackback to culprit in chemical-company espionage attacks

'Nitro' attack series shows specific intent at industrial espionage

Security experts have been saying for a while that high-volume, sophisticated hacking operations with global reach have largely shifted from hacks of individual accounts into major heists and, more frequently, industrial espionage.

Certainly that has been a consistent theme in the Night Dragon and other espionage-centered attacks including theft of SecureID code from RSA – by what security companies have identified as units of the Chinese military.

Symantec today published a report highlighting common threads and methods that amount to a long-term, concentrated series of attempts at industrial espionage on the global chemical industry.

The report "The Nitro Attacks: Stealing Secrets from the Chemical Industry"(PDF download)describes a series of targeted campaigns aimed at private companies to steal design documents, formulas, manufacturing processes and research materials.

The report is an unusually detailed description of the entire pattern of an attack, including the techniques and tools involved and data straight from the suspected perpetrator.

The most common denominator among the companies attacked is a direct or peripheral connection to the manufacture of military vehicles.

The chemical industry is just the latest target in a series of companies in specific vertical markets or other specialties to be targeted by attacks Symantec identified as similar enough to believe they came from the same source.

In April and May the attacks focused on human-rights activist groups. In May they shifted to the motor industry, then took a break until late July, when a series of attacks began on chemical companies that went on for more than two-and-a-half months.

Command-and-control systems at a total of 48 companies in the chemicals business and related sectors were attacked from 101 IP addresses in 20 countries; all showed traffic patterns that indicated they had probably been infected with malware and were being controlled as part of a botnet, Symantec's report found.

Anatomy of a cyber-espionage attack

All the attacks began with a series of spear-phishing emails aimed at a very small number of employees – though in one company 500 employees got the note and 100 got it in another.

The phishing notes sent to a narrowly focused set of targets were disguised as requests for meetings from a business partner. Those sent to hundreds of people were disguised as necessary security updates.

The malware payload in each case was a backdoor Trojan called PoisonIvy listed commonly as a Remote Administration Tool (RAT), which is very common but was developed by someone who either spoke Chinese or simply left his or her note files within the malware in that language.

Once installed, PoisonIvy contacted its command server using encrypted data sent through Port 80 – the same port universally used by web traffic.

The Trojan provided the command server its IP address and those of the machines in its workgroup, as well as copies of password data from as many machines as possible, though passwords themselves were still concealed as hashes.

Once the attackers cracked the hashes, they returned and walked through the network infecting other machines and searching for administrator credentials that would give them access to servers storing secure intellectual property data.

Once they got it, they downloaded it to a machine that served as a staging server within the victim's network, then uploaded it to their own network.

The report suggested phishing targets were selected either because they were in locations that housed the data attackers wanted, or because attackers knew the sites they targeted had weaker security than others.

The culprit: 'Just some dude?'

Symanec traced the attacks to a virtual private server running on a U.S. –based cloud- or Internet Service Provider's network.

It was owned, Symantec's report concludes, by a Chinese man in his 20s living in the Hebei region in China. Symantec gave him the pseudonym Covert Grove, which is a literal translation of the name they identified for him on the Chinese servers from which he works.

Though Symantec was able to question Covert Grove enough to get him to claim he only owned the VPS to give himself a static IP address from which he could access an instant-messaging system popular in China – an explanation the report termed "suspicious" considering the $32/month cost of the VPS, which is quite high for China.

Symantec researchers couldn't figure out if Covert Grove was working on his own or with others.

Chinese government officials have complained about widespread accusations that China is behind a long series of cyber-espionage attacks on various Western countries, claiming that China is hacked at least as often as any other country, and that entrepreneurial individuals and small groups in the increasingly industrialized provinces of China go a-hacking on their own either as hobbies or covert businesses without any involvement with or sanction from the government.

The Symantec report doesn't comment on that, but does say another set of attackers are using the Backdoor.Sogu remote access tool to attack similar companies in the chemical business, using PDF and DOC files rather than meeting invitations or security updates as their cover.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies