Symantec flags attacks on chemical industry

Powered by SC Magazine

Australia appears untouched.

Symantec has detailed a series of alleged industrial espionage attacks against the chemical industry in which at least 100 computers were compromised from July to August.

Some 29 unnamed companies in the chemical sector including Fortune 100 companies were targeted according to Symantec’s report (pdf) on the attacks, which have been codenamed Nitro.

Machines were compromised through social engineering phishing attacks in which attackers infected victims with the years-old Poison Ivy remote access tool via emails that purported to be sent from existing business partners or internal IT personnel, according to the vendor.

The Trojan, developed by a Swedish coder called Shapeless, sent IP address and domain information and cached windows password hashes to command and control (C&C) servers.

Attackers also downloaded additional network penetration tools, although Symantec noted that the techniques used in each attack varied.

The Nitro attacks began in April with a series of smaller but similar attacks against human rights organisations and in May with attacks against the motor industry.

Nineteen organisations including defence contractors were affected in those attacks.

The later July chemical sector attacks affected companies that developed “advanced materials primarily for military vehicles” and “infrastructure for the chemical and advanced materials industry”, Symantec alleged.

Most compromised machines which contacted C&C servers during a monitored two week period were located in the US, Bangladesh and Britain.

Computers in Australia were not detected during the monitored period.

Further, Symantec said an organisation’s compromised machines were not typically located in the same country in which it had its headquarters.

It explained that “the attackers are targeting sites, or individuals in certain sites, which they know have access to certain data that is of interest to the attacker” or  “attackers are targeting sites or individuals that they believe have less security measures in place”.

Symantec said it traced the attacks to a virtual private server located in the US and owned by an individual dubbed Covert Grove located in China.

It was unable to determine if Covert Grove was the sole attacker or was acting on behalf of others.

Trend Micro senior threat researcher Nart Villeneuve used malware, domain and IP information supplied by Symantec to map out three sets of C&C infrastructure.

The first C&C set contained three domains using dynamic DNS and remote access tools to maintain contact with compromised machines.

The remaining sets resolved to specific IP addresses including one previously used to attack the British Government.

“This segmented infrastructure allows the same set of attackers to target different potential victims without having all the attacks linked together. Without additional information, it can be difficult to link together the full scope of targeted malware campaigns,” Villeneuve said.

Copyright © SC Magazine, Australia

Symantec flags attacks on chemical industry
Top Stories
Myer CIO named retailer's new chief executive
Richard Umbers to lead data-driven retail strategy.
Empty terminals and mountains of data
Qantas CIO Luc Hennekens says no-one is safe from digital disruption.
BoQ takes $10m hit on Salesforce CRM
Regulatory hurdles end cloud pilot.
Sign up to receive iTnews email bulletins
Latest Comments
Who do you trust most to protect your private data?

   |   View results
Your bank
Your insurance company
A technology company (Google, Facebook et al)
Your telco, ISP or utility
A retailer (Coles, Woolworths et al)
A Federal Government agency (ATO, Centrelink etc)
An Australian law enforcement agency (AFP, ASIO et al)
A State Government agency (Health dept, etc)

Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
I DON'T support shutting the OAIC.