Computers belonging to at least 48 chemical and defense companies were infected with malicious software known as PoisonIvy, which is used to steal information like design documents, formulas, and manufacturing details.
The attacks were coordinated and traced back to one man in China’s northern province of Hebei, according to the latest report from security firm Symantec.
Symantec’s report didn’t identify the companies attacked, but listed multiple Fortune 100 corporations that develop compounds and advanced materials used in military vehicles and businesses as affected parties. The companies are based in the U.S., Denmark and the U.K.
“The purpose of the attacks appears to be industrial espionage, collecting intellectual property for competitive advantage,” Symantec said in a white paper on the campaign, which the company dubbed the “Nitro” attacks.
The security firm found evidence of command and control servers used in the operation that linked to other attacks, all of which were tagged with the pseudonym “Covert Grove,” a literal translation of the Hebei hacker’s name.
“We are unable to determine if Covert Grove is the sole attacker or if he has a direct or only indirect role,” according to Symantec. “Nor are we able to definitively determine if he is hacking these targets on behalf of another party or multiple parties.”
Security experts agree the Nitro campaign is the latest in a string of cyber-attacks that is likely the work of government-backed hackers, and may reinforce the notion that cyber-terrorism is emerging as the future of international conflict.
This summer, former CIA official Cofer Black warned current cyber-threats may be a harbinger of more serious attacks to come.
“You had the Cold War, the global war on terrorism…now you have the Code War,” Black warned.
Security officials are battling several attacks on all fronts. For example, officials are concerned the Stuxnet virus, famous for crippling Iran’s nuclear system by attacking the software used to manage its nuclear power generators, may mutate and pose a threat elsewhere.
In addition to Stuxnet, security experts and lawmakers are gaining greater understanding of Operation Shady RAT, the world’s most massive recorded cyber breach, a five-year operation whose existence officials discovered only months ago.
Security firm McAfee uncovered the widespread yet seemingly coordinated Shady RAT attacks, which appear to be the work of a nation-state, given the attack’s focus on political and military matters.
Operation Shady RAT hit everything from the United Nations to governments, and even insurance firms in the U.S., Taiwan, Vietnam, India and several European nations. McAfee concluded the attack appeared to be backed by a nation-state, but didn’t point fingers. There seems to be consensus among security analysts that China is the main suspect.
And just last week, a security analyst’s blog identified more than 700 businesses and corporations, including 20 percent of Fortune 500 companies, believed to be affected by another state-sponsored attack. The majority of the discovered command and control networks in that attack were linked to locations in and around Beijing, China.
Symantec said the Nitro attack began when attackers sent emails with tainted attachments to between 100 and 500 employees at a company, claiming to be from established business partners or containing bogus security updates.
As soon as unsuspecting recipients opened the attachment, it installed “PoisonIvy,” a Remote Access Trojan (RAT) to take control of a machine. From there, the attacks typically identified desired intellectual property, which they uploaded to a remote server, according to Symantec.
Describing the sophisticated, labyrinth-like nature of these intrusions, Symantec’s chief technology officer, Greg Day said this type of attack is becoming the new norm.
“What we have now is almost the commercialization of those techniques, using elements such as advanced persistent threats to pursue espionage and intellectual property theft, whether that is for their own gain or resale,” Day said.
- REPORT: Top Chemical Firms Targeted In Giant Cyberattack (huffingtonpost.com)
- China ‘targeted 48 chemical and military companies in hacking attack’ (guardian.co.uk)
- Cyber attacks on chemical companies traced to China (usatoday.com)
- Security firm: Hackers hit chemical companies (seattlepi.com)