Symantec uncovers Nitro attacks targeting chemical industry

Symantec has revealed yet another large-scale targeted cyber attack, this time designed primarily to steal information from chemical and defence companies.

Dubbed 'Nitro', the campaign started in late April focused on human rights NGOs, before moving onto the motor industry, according to the Symantec Nitro attacks report (PDF).

The attack moved onto the chemical industry in late July, targeting 29 companies and another 19 in sectors such as defence, although more than 100 other machines are likely to have been infected, the report said.

The attackers used the now familiar ploy of pinpointing certain members of a target organisation and sending them an email with a malicious attachment disguised as a meeting invitation or security update.

"The emails contained an attachment that was either an executable that appeared to be a text file based on the file name and icon, or a password-protected archive containing an executable file with the password provided in the email," the report noted.

"In both cases, the file was a self-extracting executable containing PoisonIvy, a common backdoor Trojan developed by a Chinese speaker."

Once the infected machine was connected to the command and control server, the attackers could traverse the network, infecting additional computers in the search for the domain administrator's credentials, and from there locate the servers containing the desired intellectual property.

"While the behaviour of the attackers differs slightly in each compromise, generally, once the attackers have identified the desired intellectual property, they copy the content to archives on internal systems they use as internal staging servers," the report continued.

"This content is then uploaded to a remote site outside the compromised organisation completing the attack."

The attacks were spread geographically far and wide, but most of the infected machines were located in the US (27), Bangladesh (20) and the UK (14).

Most interestingly, Symantec traced the attacks to a virtual private server (VPS) based in the US but registered to a "20-something male" located in Heibei, China dubbed 'Covert Grove'.

The male claimed that the VPS, which cost him $32 a month to rent, was set up for legitimate purposes, but Symantec researchers found evidence which may point to the contrary.

"When prompted regarding hacking skills, Covert Grove immediately provided a contact that would perform 'hacking for hire'. Whether this contact is merely an alias or a different individual has not been determined," the researchers concluded.

The discovery comes during a year in which many similar attacks have been uncovered, including Night Dragon, Shady RAT and Lurid, all apparently designed to covertly steal intellectual property from a range of organisations.