Cyber Report: Chemical Industry Under Attack

Wednesday, November 2, 2011 @ 04:11 PM gHale


At least 48 chemical and defense companies were victims of a coordinated cyber attack traced back to one man in China, said a report from security company Symantec Corp.

Computers ended up infected with malicious software known as “PoisonIvy,” which could steal information such as design documents, formulas and details on manufacturing processes, Symantec said.

RELATED STORIES
Survey: In Age of Attack, Providers Less Aware
Privacy Tougher to Practice
New Blood can Curtail Cyber Attacks
Energy Dept. Cyber Attack Victim

The report did not identify the companies, but said they include multiple Fortune 100 corporations that develop compounds and advanced materials, along with businesses that help manufacture infrastructure for these industries.

The bulk of the infected machines were in the United States and United Kingdom, Symantec said, adding the victims include 29 chemicals companies, some of which developed advanced materials used in military vehicles.

“The purpose of the attacks appears to be industrial espionage, collecting intellectual property for competitive advantage,” Symantec said in a white paper on the campaign, which the company dubbed the “Nitro” attacks.

The cyber campaign ran from late July through mid-September and ended up traced to a computer system in the United States owned by a man in his 20s in Hebei province in northern China, according to Symantec.

Researchers gave the man the pseudonym “Covert Grove” based on a literal translation of his name. They found evidence the “command and control” servers used to control and mine data in this campaign also saw use in attacks on human-rights groups from late April to early May, and in attacks on the motor industry in late May, Symantec said.

“We are unable to determine if Covert Grove is the sole attacker or if he has a direct or only indirect role,” said Symantec’s white paper. “Nor are we able to definitively determine if he is hacking these targets on behalf of another party or multiple parties.”

The Nitro campaign is the latest in a series of highly targeted cyber attacks that security experts say could be the work of government-backed hackers.

Intel Corp’s security unit McAfee in August identified “Operation Shady RAT,” a five-year coordinated campaign on the networks of 72 organizations, including the United Nations, governments and corporations.

In February, McAfee warned hackers working in China broke into the computer systems of five multinational oil and natural gas companies to steal bidding plans and other critical proprietary information.

Symantec said on Monday the Nitro attackers sent emails with tainted attachments to between 100 and 500 employees at a company, claiming to be from established business partners or to contain bogus security updates.

When an unsuspecting recipient opens the attachment, it installs “PoisonIvy,” a Remote Access Trojan (RAT) that can take control of a machine and is easily available over the Internet.

While the hackers’ behavior differed slightly in each case, they typically identified desired intellectual property, copied it and uploaded it to a remote server, Symantec said in its report.

Dow Chemical Co said it detected “unusual emails being delivered to the company” last summer and worked with law enforcers to address this situation.

“We have no reason to believe our operations were compromised, including safety, security, intellectual property, or our ability to service our customers,” a Dow spokesman said.



Leave a Reply

You must be logged in to post a comment.