Latest news
Nearly 50 chemical, defense companies hit with cyber espionage attacks
Posted on 01 November 2011.
Nearly 50 (and quite possibly more) companies in the chemical, defense, and other sectors have been hit with a spear phishing campaign carrying a backdoor Trojan with the ultimate goal of exfiltrating R&D and manufacturing information, revealed Symantec in a newly released report.
The attacks against these companies started in late July 2011 and lasted until the middle of September 2011, but the attackers are though to be the same ones who targeted human rights related NGOs and companies in the motor industry in May.
The campaign was code-named Nitro by the researchers because of the attackers' focus on information about chemical compounds and various advanced materials used by the military. All in all, nearly 100 computers - mostly located in the U.S., Bangladesh and the U.K. - have been infected, belonging to mostly to U.S. and U.K. companies.
The attacks predictably started with specially crafted emails sent to employees of these companies. In some companies only a few of them were targeted, in others almost 500. When the recipients were many, the email usually purported to be a security update; when the recipients were few, emails took the form of meeting invitations from business partners.
"The emails then contained an attachment that was either an executable that appeared to be a text file based on the file name and icon, or a password-protected archive containing an executable file with the password provided in the email," say the researchers. "In both cases, the executable file was a self-extracting executable containing PoisonIvy, a common backdoor Trojan developed by a Chinese speaker."
Once the attackers gained access to the targets' computer, they used it to leverage their way into the company network and infect others. The backdoor also contacted a C&C server from which it received further instructions. When the attackers finally managed to find the needed information - sensitive materials regarding the company's operation - it would be copied on internal staging servers and ultimately uploaded on remote ones operated by the attackers.
The researchers have discovered the IP addresses of several C&C domains which the backdoor was instructed to connect to and, in one case, the IP address to which some of the Trojan samples connected directly.
On that particular address, a computer system with a virtual private server (VPS) located in the United States but owned by a 20-something male from the Chinese region of Hebei was discovered.
The researchers have even managed to contact the guy - whom they dubbed Covert Grove - who claimed to have established the U.S.-based VPS in order to log into a popular Chinese instant messaging system, since it would provide him with a static IP address needed to use a feature of the system.
Even though the explanation sounded suspicious to the researchers, they haven't managed to prove that the VPS was used by any other user. "We are unable to determine if Covert Grove is the sole attacker or if he has a direct or only indirect role," they say. "Nor are we able to definitively determine if he is hacking these targets on behalf of another party or multiple parties."
Also, the researchers have also revealed that the Nitro attackers weren't the only ones who targeted these companies during this two-and-a-half month period. Other attackers, using booby-trapped PDF and DOC files and the custom-developed Sogu backdoor, have also tried to infiltrate the companies' systems. The researchers don't mention whether these attackers have succeeded in their efforts, but have confirmed that they are keeping their eyes on them.
For further details about the attacks and to check out the MD5s of the files used in them, download the report.
The attacks against these companies started in late July 2011 and lasted until the middle of September 2011, but the attackers are though to be the same ones who targeted human rights related NGOs and companies in the motor industry in May.
The campaign was code-named Nitro by the researchers because of the attackers' focus on information about chemical compounds and various advanced materials used by the military. All in all, nearly 100 computers - mostly located in the U.S., Bangladesh and the U.K. - have been infected, belonging to mostly to U.S. and U.K. companies.
The attacks predictably started with specially crafted emails sent to employees of these companies. In some companies only a few of them were targeted, in others almost 500. When the recipients were many, the email usually purported to be a security update; when the recipients were few, emails took the form of meeting invitations from business partners.
"The emails then contained an attachment that was either an executable that appeared to be a text file based on the file name and icon, or a password-protected archive containing an executable file with the password provided in the email," say the researchers. "In both cases, the executable file was a self-extracting executable containing PoisonIvy, a common backdoor Trojan developed by a Chinese speaker."
Once the attackers gained access to the targets' computer, they used it to leverage their way into the company network and infect others. The backdoor also contacted a C&C server from which it received further instructions. When the attackers finally managed to find the needed information - sensitive materials regarding the company's operation - it would be copied on internal staging servers and ultimately uploaded on remote ones operated by the attackers.
The researchers have discovered the IP addresses of several C&C domains which the backdoor was instructed to connect to and, in one case, the IP address to which some of the Trojan samples connected directly.
On that particular address, a computer system with a virtual private server (VPS) located in the United States but owned by a 20-something male from the Chinese region of Hebei was discovered.
The researchers have even managed to contact the guy - whom they dubbed Covert Grove - who claimed to have established the U.S.-based VPS in order to log into a popular Chinese instant messaging system, since it would provide him with a static IP address needed to use a feature of the system.
Even though the explanation sounded suspicious to the researchers, they haven't managed to prove that the VPS was used by any other user. "We are unable to determine if Covert Grove is the sole attacker or if he has a direct or only indirect role," they say. "Nor are we able to definitively determine if he is hacking these targets on behalf of another party or multiple parties."
Also, the researchers have also revealed that the Nitro attackers weren't the only ones who targeted these companies during this two-and-a-half month period. Other attackers, using booby-trapped PDF and DOC files and the custom-developed Sogu backdoor, have also tried to infiltrate the companies' systems. The researchers don't mention whether these attackers have succeeded in their efforts, but have confirmed that they are keeping their eyes on them.
For further details about the attacks and to check out the MD5s of the files used in them, download the report.
Spotlight
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Is Microsoft is reading your Skype communications?
Posted on 15 May 2013. | The question of whether Skype allows U.S. intelligence and law enforcement agencies to access the communications exchanged by its users has still not been adequately answered by Microsoft.
Internet Explorer best at blocking malware
Posted on 14 May 2013. | While Chrome’s malware download protection improved significantly, Internet Explorer 10 continues to outperform the other browsers with a block rate of 99.96%.
Researcher refuses to help Saudi telco to spy on people
Posted on 14 May 2013. | You would think that a Saudi Arabian telecom firm interested in monitoring its users' mobile communications would not be asking a well-known pro-privacy researcher for help, but you would be wrong.
Malicious browser extensions are hijacking Facebook accounts
Posted on 13 May 2013. | Facebook users - especially those in Brazil - are being targeted with malicious browser extensions trying to hijack Facebook profiles, warns Microsoft.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
