Symantec has detailed a series of alleged industrial espionage attacks against the chemical industry in which at least 100 computers were compromised from July to August.
Some 29 unnamed companies in the chemical sector including Fortune 100 companies were targeted according to Symantec’s report (pdf) on the attacks, which have been codenamed Nitro.
Machines were compromised through social engineering phishing attacks in which attackers infected victims with the years-old Poison Ivy remote access tool via emails that purported to be sent from existing business partners or internal IT personnel, according to the vendor.
The Trojan, developed by a Swedish coder called Shapeless, sent IP address and domain information and cached windows password hashes to command and control (C&C) servers.
Attackers also downloaded additional network penetration tools, although Symantec noted that the techniques used in each attack varied.
The Nitro attacks began in April with a series of smaller but similar attacks against human rights organisations and in May with attacks against the motor industry.
Nineteen organisations including defence contractors were affected in those attacks.
The later July chemical sector attacks affected companies that developed “advanced materials primarily for military vehicles” and “infrastructure for the chemical and advanced materials industry”, Symantec alleged.
Most compromised machines which contacted C&C servers during a monitored two week period were located in the US, Bangladesh and Britain.
Computers in Australia were not detected during the monitored period.
Further, Symantec said an organisation’s compromised machines were not typically located in the same country in which it had its headquarters.
It explained that “the attackers are targeting sites, or individuals in certain sites, which they know have access to certain data that is of interest to the attacker” or “attackers are targeting sites or individuals that they believe have less security measures in place”.
Symantec said it traced the attacks to a virtual private server located in the US and owned by an individual dubbed Covert Grove located in China.
It was unable to determine if Covert Grove was the sole attacker or was acting on behalf of others.
Trend Micro senior threat researcher Nart Villeneuve used malware, domain and IP information supplied by Symantec to map out three sets of C&C infrastructure.
The first C&C set contained three domains using dynamic DNS and remote access tools to maintain contact with compromised machines.
The remaining sets resolved to specific IP addresses including one previously used to attack the British Government.
“This segmented infrastructure allows the same set of attackers to target different potential victims without having all the attacks linked together. Without additional information, it can be difficult to link together the full scope of targeted malware campaigns,” Villeneuve said.