That revelation comes from a study, "The Nitro Attacks: Stealing Secrets from the Chemical Industry," released Monday by Symantec. According to the study's authors, Eric Chien, technical director of Symantec Security Response, and Symantec threat intelligence officer Gavin O'Gorman, the attack campaign against the chemical industry--which led to their codenaming it "Nitro"--ran from July to mid-September 2011.
But they've found evidence that part of the attack infrastructure was put to use before then. Notably, they said that the command-and-control servers communicating with the remote-access tools used in the attacks first appeared in April 2011, and targeted human-rights-related nonprofit groups. The next month, meanwhile, the infrastructure was employed to attack the motor manufacturing industry. Then, after being dormant for part of June and July, the command-and-control servers were reactivated for the recent chemical industry attack campaign, which lasted for about 10 weeks.
[End users aren't the only people who may be compromising your security. Are Your IT Pros Abusing Admin Passwords?]
So far, Symantec has confirmed that 29 chemical companies and 19 organizations in other industries were targeted by the malware. But it warned that the actual number of businesses targeted--or exploited--by the malware may be much higher. "In a recent two-week period, 101 unique IP addresses contacted a command and control server with traffic consistent with an infected machine. These IPs represented 52 different unique Internet service providers or organizations in 20 countries," said Chien and O'Gorman.
In the case of the chemical industry attacks, the attackers targeted businesses that manufacture chemical compounds or advanced materials used for manufacturing military vehicles, as well as businesses that design and build manufacturing systems for the chemical and advanced material industries. "The purpose of the attacks appears to be industrial espionage, collecting intellectual property for competitive advantage," they said. In particular, the attackers were hunting for "sensitive documents such as proprietary designs, formulas, and manufacturing processes."
Targeted attacks involving remote access tools aren't new. Earlier this year, for example, McAfee published its findings into a series of attacks it dubbed Shady RAT, for remote access tool. But McAfee's report was criticized by some for being unnecessarily alarmist after outside experts studied the malware and found it to be relatively unsophisticated, and far less dangerous than many other botnets currently at large. In contrast to the McAfee study, Symantec's report paints a picture of malware that's only as sophisticated as it needs to be.
In particular, the Nitro malware was emailed to a select--and apparently prescreened group--of recipients, numbering anywhere from just a handful of employees to almost 500 in any given business. The emails, however, really constituted a phishing attack, sent under the pretext of either a meeting invitation from a known business partner or a necessary security update for either Flash Player or an antivirus product.
The email's attachment--a self-extracting executable included in a zipped file, with the password pasted into the email body--was actually a common Trojan malware known as Poison Ivy. But just because the remote administration tool might be common--and free to download--doesn't mean it isn't dangerous or effective. Indeed, the malware, which security researchers say was developed by a Chinese-language speaker, was used both to exploit RSA's SecurID, as well as in the Operation Aurora attack against Google. In the case of the Nitro attacks, Symantec traced the command-and-control servers back to a virtual private server (VPS) located in the United States that was rented for about $32 per month. "However, the system was owned by a 20-something male located in the Hebei region in China," said Chien and O'Gorman. "We internally have given him the pseudonym of Covert Grove based on a literal translation of his name. He attended a vocational school for a short period of time specializing in network security and has limited work experience, most recently maintaining multiple network domains of the vocational school."
But they were unable to verify whether the person they contacted was actually employed by the school, using an alias, or working for someone else, and said his cover story--using the VPS and its static IP address as a way to access a favorite instant messaging system from within China--would have been technological overkill. "The scenario seems suspicious," they said. "We were unable to recover any evidence the VPS was used by any other authorized or unauthorized users. Further, when prompted regarding hacking skills, Covert Grove immediately provided a contact that would perform 'hacking for hire.'"
Whoever the Nitro campaign's handler, there are multiple information security lessons to be gleaned from how the attacks were executed, and thus how they can be stopped. "Blocking suspicious attachments, using proactive detection technologies and educating users could all stop this type of attack from succeeding. If you weren't one of the victims, this is a great lesson on what you should be doing to protect against the next attack," said Chester Wisniewski, a senior security advisor at Sophos Canada, in his analysis of Symantec's report.
Notably, he said, the attack proves--once again--that end users shouldn't have administrative-level access rights to their Windows PCs. "Malware cannot access the Windows cache of passwords, which almost always has admin credentials included, if it does not have administrative rights," he said. "Simply restricting permissions would be enough to stunt the spread of an attack like this. Additionally, the behavior of this malware is quite easy for [host intrusion prevention systems] or behavioral antivirus to detect and block. With the multitude of techniques being used by the bad guys, analyzing the behavior of applications is critical."