Cyber Attacks on Chemical and Defense Industries Traced Back to Man in China

Multiple Fortune 100 companies were the victims of a coordinated series of cyber attacks dubbed Nitro, says security firm Symantec Corp. At least 48 firms - all of which are involved in the chemical and defense industries - were subject to the attack, which has been traced back to a computer system owned by a man in his twenties working out of northern China.

It does not appear that attacks are focusing on companies in any one country but instead upon the industries they represent. Though the companies themselves were not identified, Symantec has confirmed that the majority of infected machines were located in the United States, Bangladesh, the United Kingdom and Argentina and included the systems of 29 chemical companies and those of 19 other companies, many of which are involved in the defense sector. According to the security firm, the companies that were affected included several that develop advanced materials primarily for military vehicles as well as others involved in developing manufacturing infrastructure for the chemical and advanced materials industry.

According to Symantec, this round of attacks on the chemical industry began in July and last until mid-September, but the attackers had launched campaigns in other areas as early as April. Initially, efforts were focused on human rights related NGOs, shifting to the motor industry in late May and taking a hiatus from June to mid-July.

According to Symantec, the attackers' methodology involved the email of an executable file containing 'PoisonIvy,' a common Trojan developed by a Chinese speaker. In most cases, only a handful of employees from each firm were targeted and the emails were disguised either as meeting invitations from established business partners of the firm or as security updates. Once installed, PoisonIvy established a connection to a command-and-control (C&C) server, giving hackers access to the infected machine's IP address, the names of all other computers in its network, and archived Windows cached password files.

The primary goal of the attacks, according to Symantec, seems to have been to gain access to industrial intellectual property, though part of this process was also the obtainment of administrator credentials throughout infected systems.

The attacks were traced back to a virtual private server (VPS) located in the U.S., but owned by a 20-something male living in the Hebei province in China. The man claims that he was using the VPS to connect with QQ, an instant messaging system popular in China. Though the circumstances around the man's ownership of the VPS are suspicious, Symantec has as yet been unable to determine if the man - known within the security firm as 'Covert Grove' - is working alone or in conjunction with others, or whether he has a direct or indirect role in the attacks.