UPDATED 13:47 EDT / NOVEMBER 03 2011

NEWS

Alleged Chinese Hacker Targets Companies Involved in Chemical and Military R&D

Symantec, a US-based security company, uncovers a string of cyber attack against 48 companies involved in chemical and military industries. The assaults are said to be corporate espionage carried out by hacker ‘Nitro’ from China. It aims for design documents, formulas, and manufacturing processes.

“The purpose of the attacks appears to be industrial espionage, collecting intellectual property for competitive advantage,” according to Symantec, which nicknamed the attack campaign Nitro.

The targeted companies are among the Fortune 100 that are involved in chemical research and development, companies that develop advance materials for military vehicles, and others involved in their operations. However, Nitro does not only attack chemical- and military-related industries, but NGOs and the motor industry as well. There are 29 known attacks to chemical companies and 19 in other industries.

“These 48 companies are the minimum number of companies targeted and likely other companies were also targeted,” Symantec said in its report. “In a recent two week period, 101 unique IP addresses contacted a command and control server with traffic consistent with an infected machine. These IPs represented 52 different unique Internet Service Providers or organizations in 20 countries.”

While this may sound like a critical operation, Nitro hackers carried out the intrusion through an email scam. They sent out fake meeting invitations attached with Poison Ivy, a common backdoor Trojan.

“When the recipient attempted to open the attachment, they would inadvertently execute the file, causing PoisonIvy to be installed,” the report found. “Once PoisonIvy was installed, it contacted a C&C server on TCP port 80 using an encrypted communication protocol. Using the C&C server, the attackers then instructed the compromised computer to provide the infected computer’s IP address, the names of all other computers in the workgroup or domain, and dumps of Windows cached password hashes.”

Using the above method, PoisonIvy can infect other computers that had not opened the email as they access computer that contain administrator IDs and intellectual properties. But it turns out these kind of attacks can be prevented at early stages should companies opt to train their employees better.

“Malware cannot access the Windows cache of passwords, which almost always has admin credentials included, if it does not have administrative rights,” Sophos’ Chester Wisniewski wrote in a blog post. “Simply restricting permissions would be enough to stunt the spread of an attack like this.”
“Blocking suspicious attachments, using proactive detection technologies and educating users could all stop this type of attack from succeeding,” he continued. “If you weren’t one of the victims, this is a great lesson on what you should be doing to protect against the next attack.”

Symantec traced back Nitro to a virtual private server (VPS) in the US, but the owner is actually a man from Hebei Region in China who they handled as Covert Grove. They are unsure, however, of whether Covert Grove operates independently or in behalf of a party/parties.

US and China have been at each other’s throat regarding this whole corporate espionage thing. Rep. Mike Rogers, the chairman of the US House of Representative Intelligence Committee, said that its tolerance level against China stealing US technologies is hitting the roof.

McAfee Inc., another US-based security firm, said they have uncovered a five-year-long hacking campaign they called Operation Shady Rat. It has targeted more than 70 government and private corporations all over the world, and evidences are also leading back to China. It stole oil operation, financing and bidding information from oil companies in the US, Taiwan, Greece and Kazakhstan.

There’s a good deal of high-profile cyber attacks traced back to China recently. The latest was the hacking of the Japanese government which began with a spear-phishing directed to a lower-house politician, eventually spreading the Trojan into the parliament’s network. Fingers are also pointing to China for the satellite hacking that had happened four times in two years, from 2007-2009.

Now that the hackjob spotlight is focused on China, the dirt on the Mitsubishi Heavy hacking incident might also be wiped on them. The case was pretty sensitive as the hacker/s  managed to obtain sensitive information about nuclear power plants and fighter jet planes.


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU