http://www.reuters.com/article/2011/10/31/us-cyberattack-chemicals-idUSTRE79U4K920111031
New cyber attack targets chemical firms: Symantec
By Jim Finkle
Oct 31, 2011
(Reuters)
- At least 48 chemical and defense companies were victims of a
coordinated cyber attack that has been traced to a man in China,
according to a new report from security firm Symantec Corp.
Computers belonging to these
companies were infected with malicious software known as "PoisonIvy,"
which was used to steal information such as design documents, formulas
and details on manufacturing processes, Symantec said on Monday.
It
did not identify the companies, but said they include multiple Fortune
100 corporations that develop compounds and advanced materials, along
with businesses that help manufacture infrastructure for these
industries.
The bulk of the
infected machines were based in the United States and United Kingdom,
Symantec said, adding that the victims include 29 chemicals companies,
some of which developed advanced materials used in military vehicles.
"The
purpose of the attacks appears to be industrial espionage, collecting
intellectual property for competitive advantage," Symantec said in a
white paper on the campaign, which the company dubbed the "Nitro"
attacks.
The cyber campaign ran
from late July through mid-September and was traced to a computer system
in the United States that was owned by a man in his 20s in Hebei
province in northern China, according to Symantec.
Researchers
gave the man the pseudonym "Covert Grove" based on a literal
translation of his name. They found evidence that the "command and
control" servers used to control and mine data in this campaign were
also used in attacks on human-rights groups from late April to early
May, and in attacks on the motor industry in late May, Symantec said.
"We
are unable to determine if Covert Grove is the sole attacker or if he
has a direct or only indirect role," said Symantec's white paper. "Nor
are we able to definitively determine if he is hacking these targets on
behalf of another party or multiple parties."
The
Nitro campaign is the latest in a series of highly targeted cyber
attacks that security experts say are likely the work of
government-backed hackers.
Intel
Corp's security unit McAfee in August identified "Operation Shady RAT," a
five-year coordinated campaign on the networks of 72 organizations,
including the United Nations, governments and corporations.
In
February, McAfee warned that hackers working in China broke into the
computer systems of five multinational oil and natural gas companies to
steal bidding plans and other critical proprietary information.
Symantec
said on Monday that the Nitro attackers sent emails with tainted
attachments to between 100 and 500 employees at a company, claiming to
be from established business partners or to contain bogus security
updates.
When an unsuspecting
recipient opens the attachment, it installs "PoisonIvy," a Remote Access
Trojan (RAT) that can take control of a machine and that is easily
available over the Internet.
While
the hackers' behavior differed slightly in each case, they typically
identified desired intellectual property, copied it and uploaded it to a
remote server, Symantec said in its report.
Symantec did not identify the companies that were targeted in its white paper and researchers could not immediately be reached.
Dow
Chemical Co said it detected "unusual e-mails being delivered to the
company" last summer and worked with law enforcers to address this
situation.
"We have no reason to
believe our operations were compromised, including safety, security,
intellectual property, or our ability to service our customers," a Dow
spokesman said.
A spokesman for DuPont declined to comment.
(Reporting by Jim Finkle. Additional reporting by Matt Daily and Ernest Scheyder; Editing by Gerald E. McCormick and Richard Chang)