From at least April to September, hackers embarked on a widespread international industrial espionage campaign against some 48 companies in over 20 countries, though most of the attacks concerned chemical companies and affected computers in the U.S., according to a report detailing the offensive released by security firm Symantec on Monday. (H/T: The Register.)
Symantec, the company that sells Norton Antivirus software, explains that the attacks, which it has codenamed “Nitro,” were carried out when the hackers spammed employees of the target companies with emails purporting to be “meeting invitations from established business partners.” The emails contained an attachment which was actually malware, the backdoor trojan PoisonIvy, which infected the computer.
Symantec continues: “the attackers then instructed the compromised computer to provide the infected computer’s IP address, the names of all other computers in the workgroup or domain, and dumps of Windows cached password hashes…the attackers then began traversing the network infecting additional computers. Typically, their primary goal is to obtain domain administrator credentials and/or gain access to a system storing intellectual property.”
“This attack campaign focused on the chemical sector with the goal of obtaining sensitive documents such as pro- prietary designs, formulas, and manufacturing processes,” the firm wrote.
Up to 48 companies were targeted in the attacks (Symantec calls this the “minimum number), with 29 of them being in the chemical sector and 12 of them based out of the United States.
These companies were big names too. Though Symantec declines to identify them, it notes that the affected companies include “multiple Fortune 100 companies,” and those involved in the production of “advanced materials primarily for military vehicles.” Other companies included those in the defense industry and human rights NGOs.
Twenty-seven of the attacks affected computers in the United States. Bangladesh is the site of the second most attacks, 20, followed by the U.K., where Symantec counts 14 attacks.
Symantec managed to trace the attacks back to a private server farm in the United States owned by “a 20-something male located in the Hebei region in China.” This person, who Symantec codenamed Covert Grove, claimed to have no knowledge of the attacks and said he only owned the server farm to create a static IP address and restrict login access to particular users.
Symantec says the campaign was disrupted in mid September, but notes that other hackers began targeting some of the same companies.
We’ve reached out to Symantec for more information and will update when we receive a response.
