Nitro attacks hit chemical industry

The Nitro hackers went after the secrets of chemical companies, Symantec says.

Hacker

A host of chemical sector companies were targeted by hackers between April and September this year, as part of a coordinated campaign by an unknown group.

A number of Fortune 100 companies involved in research and development of chemical compounds and advanced materials were targeted as part of the attacks, codenamed Nitro, Symantec reported.

The group, a member of which Symantec spoke to in order to gain a greater understanding of the attacks, sought to gain intellectual property by placing a Remote Access Tool (RAT) Trojan known as Poison Ivy onto targets' machines.

Typically, their primary goal is to obtain domain administrator credentials and/or gain access to a system storing intellectual property.

Advertisement
Advertisement - Article continues below

"First, when a specific recipient was targeted, the mails often purported to be meeting invitations from established business partners. Secondly, when the emails were being sent to a broad set of recipients, the mails purported to be a necessary security update," the Symantec report explained.

"The emails then contained an attachment that was either an executable that appeared to be a text file based on the file name and icon, or a password-protected archive containing an executable file with the password provided in the email."

Once the file was opened, the Poison Ivy malware would install itself on the victim's system and start communicating with a C&C server on TCP port 80 using an encrypted communication protocol.

"Using the C&C server, the attackers then instructed the compromised computer to provide the infected computer's IP address, the names of all other computers in the workgroup or domain and dumps of Windows cached password hashes," the Symantec report continued.

"By using access to additional computers through the currently logged on user or cracked passwords through dumped hashes, the attackers then began traversing the network infecting additional computers. Typically, their primary goal is to obtain domain administrator credentials and/or gain access to a system storing intellectual property."

A nations state attack?

The motives and backing of the hacking group behind Nitro remain unclear, despite some indicative information uncovered by Symantec.

The majority (27 per cent) of the infected machines identified by the security giant were located in the US, with 20 per cent in Bangladesh and 14 per cent in the UK. However, Symantec said the attackers were not targeting organisations in any particular country, as the geographical spread of hits was varied.

Instead, the security company suggested attackers were either going after sites, or individuals in certain sites, which they knew had access to particular data. The attackers may also simply have been targeting the lowest hanging fruit and attempting to dupe those with weak security, Symantec said.

Whilst China was mentioned in the report the member of the hacking group responsible from Nitro was based in the Hebei region there was no evidence to suggest a nation state was, or was not, behind the attacks.

Advertisement
Advertisement - Article continues below

Nevertheless, the hackers involved in Nitro targeted other industries outside of the chemical sector, making the case for a nation state's involvement more likely.

They targeted another 19 companies, most of which were in the defence industry, Symantec said.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/security/29204/how-can-you-protect-your-business-from-crypto-ransomware
Security

How can you protect your business from crypto-ransomware?

4 Nov 2019
Visit/security/ddos/28039/how-to-protect-against-a-ddos-attack
Security

How to protect against a DDoS attack

25 Oct 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/network-internet/wifi-hotspots/354283/industrial-wi-fi-6-trial-reveals-blistering-speeds
wifi & hotspots

Industrial Wi-Fi 6 trial reveals blistering speeds

5 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019