A report from Symantec Corp. details a roving campaign of intellectual property theft controlled by a 20 year-old hacker for hire that relied on phishing e-mail, some old malware and command and control operations based in China.
The company on Tuesday unveiled research on the targeted attacks, which used a new variant of Poison Ivy, a well-known piece of malware. The attacks were detected on computers around the world including “multiple Fortune 100 companies,” including 29 companies in the chemical sector, as well as 19 defense firms.
The Cupertino-based company used the Conference on Cyberspace in London to discuss the attacks, which Symantec said began in July, 2011 and continued through the middle of September. The company has dubbed the campaign “Nitro.”
The malware based intrusions appear to represent a “targeted campaign directed primarily at private companies involved in the research, development and manufacture of chemicals and advanced materials,” according to the report.
In its particulars, “Nitro” is indistinguishable from other targeted attacks. Recipients within the target organizations receive phishing e-mail messages containing malicious attachments. When those attachments are opened, the malware is installed on the host machine.
Though the Symantec report calls “Nitro” a “targeted” attack, the actual attacks appear to have been fairly diffuse: more than 500 employees of one target company received a phishing e-mail linked to the attack, and another firm saw 100 employees targeted with malicious email attachments. In many cases, the attachments were password protected ZIP files containing the malware, meaning that recipients needed to enter a password contained within the email to unzip the attachment, which would then launch a self extracting archive containing the malware.
The malware used, a variant of the Remote Access Tool “Poison Ivy,” is a common Trojan horse program that is freely available online. Symantec claims it was used to gather competitive intelligence from targeted firms and said the command and control systems that orchestrated the attack were traced back to a machine belonging to a man living in the Hebei region in China who advertises his services as a “hacker for hire,” and who Symantec has dubbed “Covert Grove.”
The Nitro attacks are similar to countless others against Western firms. Many of those are traceable to systems or groups of hackers in China or other developing nations, though attribution is a tricky matter when it comes to digital attacks. What is clear is that the attacks do have consequences.
Last week the head of the UK Ministry of Defence’s Cyber Security Program told reporters that targeted attacks have cost the British economy some $43 billion in lost economic growth and directly contributed to the demise of a UK wind turbine maker and other firms.