Nitro attacks hit chemical industry

The Nitro hackers went after the secrets of chemical companies, Symantec says.

Hacker

A host of chemical sector companies were targeted by hackers between April and September this year, as part of a coordinated campaign by an unknown group.

A number of Fortune 100 companies involved in research and development of chemical compounds and advanced materials were targeted as part of the attacks, codenamed Nitro, Symantec reported.

The group, a member of which Symantec spoke to in order to gain a greater understanding of the attacks, sought to gain intellectual property by placing a Remote Access Tool (RAT) Trojan known as Poison Ivy onto targets' machines.

Typically, their primary goal is to obtain domain administrator credentials and/or gain access to a system storing intellectual property.

"First, when a specific recipient was targeted, the mails often purported to be meeting invitations from established business partners. Secondly, when the emails were being sent to a broad set of recipients, the mails purported to be a necessary security update," the Symantec report explained.

"The emails then contained an attachment that was either an executable that appeared to be a text file based on the file name and icon, or a password-protected archive containing an executable file with the password provided in the email."

Once the file was opened, the Poison Ivy malware would install itself on the victim's system and start communicating with a C&C server on TCP port 80 using an encrypted communication protocol.

"Using the C&C server, the attackers then instructed the compromised computer to provide the infected computer's IP address, the names of all other computers in the workgroup or domain and dumps of Windows cached password hashes," the Symantec report continued.

"By using access to additional computers through the currently logged on user or cracked passwords through dumped hashes, the attackers then began traversing the network infecting additional computers. Typically, their primary goal is to obtain domain administrator credentials and/or gain access to a system storing intellectual property."

A nations state attack?

The motives and backing of the hacking group behind Nitro remain unclear, despite some indicative information uncovered by Symantec.

The majority (27 per cent) of the infected machines identified by the security giant were located in the US, with 20 per cent in Bangladesh and 14 per cent in the UK. However, Symantec said the attackers were not targeting organisations in any particular country, as the geographical spread of hits was varied.

Instead, the security company suggested attackers were either going after sites, or individuals in certain sites, which they knew had access to particular data. The attackers may also simply have been targeting the lowest hanging fruit and attempting to dupe those with weak security, Symantec said.

Whilst China was mentioned in the report the member of the hacking group responsible from Nitro was based in the Hebei region there was no evidence to suggest a nation state was, or was not, behind the attacks.

Nevertheless, the hackers involved in Nitro targeted other industries outside of the chemical sector, making the case for a nation state's involvement more likely.

They targeted another 19 companies, most of which were in the defence industry, Symantec said.

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now

Recommended

Malware attacks using machine identities doubled in 2019
cyber security

Malware attacks using machine identities doubled in 2019

4 Aug 2020
Russia hacked Liam Fox's personal email to steal trade documents
phishing

Russia hacked Liam Fox's personal email to steal trade documents

4 Aug 2020
British teenager charged over Twitter hack
hacking

British teenager charged over Twitter hack

3 Aug 2020
Mid-year report says vulnerabilities up 22% in 2020
hacking

Mid-year report says vulnerabilities up 22% in 2020

30 Jul 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

3 Aug 2020