Symantec flags attacks on chemical industry

Powered by SC Magazine
 

Australia appears untouched.

Symantec has detailed a series of alleged industrial espionage attacks against the chemical industry in which at least 100 computers were compromised from July to August.

Some 29 unnamed companies in the chemical sector including Fortune 100 companies were targeted according to Symantec’s report (pdf) on the attacks, which have been codenamed Nitro.

Machines were compromised through social engineering phishing attacks in which attackers infected victims with the years-old Poison Ivy remote access tool via emails that purported to be sent from existing business partners or internal IT personnel, according to the vendor.

The Trojan, developed by a Swedish coder called Shapeless, sent IP address and domain information and cached windows password hashes to command and control (C&C) servers.

Attackers also downloaded additional network penetration tools, although Symantec noted that the techniques used in each attack varied.

The Nitro attacks began in April with a series of smaller but similar attacks against human rights organisations and in May with attacks against the motor industry.

Nineteen organisations including defence contractors were affected in those attacks.

The later July chemical sector attacks affected companies that developed “advanced materials primarily for military vehicles” and “infrastructure for the chemical and advanced materials industry”, Symantec alleged.

Most compromised machines which contacted C&C servers during a monitored two week period were located in the US, Bangladesh and Britain.

Computers in Australia were not detected during the monitored period.

Further, Symantec said an organisation’s compromised machines were not typically located in the same country in which it had its headquarters.

It explained that “the attackers are targeting sites, or individuals in certain sites, which they know have access to certain data that is of interest to the attacker” or  “attackers are targeting sites or individuals that they believe have less security measures in place”.

Symantec said it traced the attacks to a virtual private server located in the US and owned by an individual dubbed Covert Grove located in China.

It was unable to determine if Covert Grove was the sole attacker or was acting on behalf of others.

Trend Micro senior threat researcher Nart Villeneuve used malware, domain and IP information supplied by Symantec to map out three sets of C&C infrastructure.

The first C&C set contained three domains using dynamic DNS and remote access tools to maintain contact with compromised machines.

The remaining sets resolved to specific IP addresses including one previously used to attack the British Government.

“This segmented infrastructure allows the same set of attackers to target different potential victims without having all the attacks linked together. Without additional information, it can be difficult to link together the full scope of targeted malware campaigns,” Villeneuve said.

Copyright © SC Magazine, Australia


Symantec flags attacks on chemical industry
 
 
 
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
 
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  26%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  22%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 333

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  57%
 
No
  43%
TOTAL VOTES: 138

Vote