But they were unable to verify whether the person they contacted was actually employed by the school, using an alias, or working for someone else, and said his cover story--using the VPS and its static IP address as a way to access a favorite instant messaging system from within China--would have been technological overkill. "The scenario seems suspicious," they said. "We were unable to recover any evidence the VPS was used by any other authorized or unauthorized users. Further, when prompted regarding hacking skills, Covert Grove immediately provided a contact that would perform 'hacking for hire.'"
Whoever the Nitro campaign's handler, there are multiple information security lessons to be gleaned from how the attacks were executed, and thus how they can be stopped. "Blocking suspicious attachments, using proactive detection technologies and educating users could all stop this type of attack from succeeding. If you weren't one of the victims, this is a great lesson on what you should be doing to protect against the next attack," said Chester Wisniewski, a senior security advisor at Sophos Canada, in his analysis of Symantec's report.
Notably, he said, the attack proves--once again--that end users shouldn't have administrative-level access rights to their Windows PCs. "Malware cannot access the Windows cache of passwords, which almost always has admin credentials included, if it does not have administrative rights," he said. "Simply restricting permissions would be enough to stunt the spread of an attack like this. Additionally, the behavior of this malware is quite easy for [host intrusion prevention systems] or behavioral antivirus to detect and block. With the multitude of techniques being used by the bad guys, analyzing the behavior of applications is critical."