'Nitro' hackers use stock malware to steal chemical, defense secrets

Symantec traces one command-and-control server to China

Attackers used an off-the-shelf Trojan horse to sniff out secrets from nearly 50 companies, many of them in the chemical and defense industries, Symantec researchers said today.

The attack campaign -- which Symantec tagged as "Nitro" -- started no later than last July and continued until mid-September, targeting an unknown number of companies and infecting at least 48 firms with the "Poison Ivy" remote-access Trojan (RAT).

Poison Ivy, which was created by a Chinese hacker, is widely available on the Internet, including from a dedicated website .

The malware has been implicated in numerous attacks, including the March campaign that hacked the network of RSA Security and swiped information about that company's SecurID authentication token technology.

In a paper published today ( download PDF ), Symantec researchers spelled out their analysis of the Nitro attacks and the use of Poison Ivy.

"Nitro wasn't at the level of sophistication of a Stuxnet ," said Jeff Wilhelm, a senior researcher with Symantec's security response, in an interview today. "But there are similarities with other advanced threats."

Among those common traits, said Wilhelm, was the attack's narrow focus.

Poison Ivy was planted on Windows PCs whose owners fell for a dodge delivered via email, said Symantec. Those emails, which were delivered in small numbers -- sometimes to only a few people in a company -- touted meeting requests from reputable business partners, or in some cases, as updates to antivirus software or for Adobe Flash Player.

When users fell for the trick and opened the message attachment, they unknowingly installed Poison Ivy on their machines. After that, the attackers were able to issue instructions to the compromised computers, troll for higher-level passwords to gain access to servers hosting confidential information, and eventually offload the stolen content to hacker-controlled systems.

Many of the same techniques, including substantial time spent scouting targets and crafting individual emails, have characterized a number of notable attacks in the last two years, including the 2009-2010 "Aurora" campaign against Google and dozens of other Western firms, and the attacks against RSA this year.

Wilhelm declined to connect the dots between Nitro and the RSA attack, but did admit that there were similarities.

Twenty-nine of the 48 firms that were successfully attacked were in the chemical and advanced materials trade -- some of the latter with connections to military vehicles -- while the other 19 were in a variety of fields, including the defense sector.

A dozen of the targeted organizations were U.S.-based, said Symantec, while five were headquartered in the U.K. and others in Denmark, Italy, the Netherlands and Japan.

Symantec declined to comment on whether the sole Japanese firm was Mitsubishi Heavy, that country's largest defense contractor. Last month, Mitsubishi confirmed that scores of its servers had been infected with malware in August , a time right in the middle of the Nitro two-and-a-half-month run.

Last week, Mitsubishi Heavy said that secret information may have been stolen from its network during the attack.

Mitsubishi has not identified the attack's origin, or the malware that was placed on its servers and PCs.

China has denied that its government was involved in the attacks against Mitsubishi.

Symantec drew a second connection to China -- the first being Poison Ivy itself -- during its Nitro investigation, saying that it had contacted an individual who owned one of the command-and-control (C&C) servers.

That person, which Symantec named "Covert Grove," was located in the Hebei region of the People's Republic of China. Hebei is a province in northern China, and surrounds the capital, Beijing.

But the information Symantec had on the Nitro attacks was of little use in determining whether Covert Groove acted alone, or if he did, whether he was fronting for a hacking group or even a national government.

"We were able to trace this back to this individual, which is unusual," said Wilhelm. "But we just don't know whether he is the sole hacker."

And Wilhelm was hesitant to draw conclusions about the motivation for the attacks. "It could have been corporate espionage, or it could be anything," he said.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

See more articles by Gregg Keizer .

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags symantecsecurity

More about Adobe SystemsAppleetworkGoogleMicrosoftMitsubishi AustraliaRSASymantecTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts