Goal of the attackers seems to be to collect intellectual property
A total of 29 companies in the chemical industry and another 19 in various other sectors, primarily the defense sector, were targeted by a recent series of cyber-attacks traced to China, according to security firm Symantec.
The attack wave started in late July 2011 and continued into mid-September 2011.
Symantec, in its white paper ‘The Nitro Attacks: Stealing Secrets From the Chemical Industry,’ said the goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes.
Companies affected include – multiple Fortune 100 companies involved in R&D of chemical compounds and advanced materials; companies that develop advanced materials for military vehicles; and companies involved in developing manufacturing infrastructure for the chemical and advanced materials industry.
According to Symantec, 12 of the infected companies were based in the US, five in the UK, two in Denmark one each in Belgium, Italy, the Netherlands, Saudi Arabia and Japan.
The attackers first researched desired targets and then sent an email specifically to the target.
When the recipient attempted to open the attachment, they would inadvertently execute the file, causing PoisonIvy, a remote access tool (RAT) to be installed. Once PoisonIvy was installed, it contacted a C&C server on TCP port 80 using an encrypted communication protocol.
Using the C&C server, the attackers then instructed the compromised computer to provide the infected computer’s IP address.
By using access to additional computers through the currently logged on user or cracked passwords through dumped hashes, the attackers then began traversing the network infecting additional computers.
Last summer US giant Dow Chemicals identified unusual e-mails being delivered to the company and worked with law enforcers to tackle the situation.