Command-and-control systems at a total of 48 companies in the chemicals business and related sectors were attacked from 101 IP addresses in 20 countries; all showed traffic patterns that indicated they had probably been infected with malware and were being controlled as part of a botnet, Symantec's report found.
Anatomy of a cyber-espionage attack
All the attacks began with a series of spear-phishing emails aimed at a very small number of employees – though in one company 500 employees got the note and 100 got it in another.
The phishing notes sent to a narrowly focused set of targets were disguised as requests for meetings from a business partner. Those sent to hundreds of people were disguised as necessary security updates.
The malware payload in each case was a backdoor Trojan called PoisonIvy listed commonly as a Remote Administration Tool (RAT), which is very common but was developed by someone who either spoke Chinese or simply left his or her note files within the malware in that language.
Once installed, PoisonIvy contacted its command server using encrypted data sent through Port 80 – the same port universally used by web traffic.
The Trojan provided the command server its IP address and those of the machines in its workgroup, as well as copies of password data from as many machines as possible, though passwords themselves were still concealed as hashes.
Once the attackers cracked the hashes, they returned and walked through the network infecting other machines and searching for administrator credentials that would give them access to servers storing secure intellectual property data.
Once they got it, they downloaded it to a machine that served as a staging server within the victim's network, then uploaded it to their own network.
The report suggested phishing targets were selected either because they were in locations that housed the data attackers wanted, or because attackers knew the sites they targeted had weaker security than others.
The culprit: 'Just some dude?'
Symanec traced the attacks to a virtual private server running on a U.S. –based cloud- or Internet Service Provider's network.
It was owned, Symantec's report concludes, by a Chinese man in his 20s living in the Hebei region in China. Symantec gave him the pseudonym Covert Grove, which is a literal translation of the name they identified for him on the Chinese servers from which he works.