Nitro attacks hit chemical industry

A host of chemical sector companies were targeted by hackers between April and September this year, as part of a coordinated campaign by an unknown group.

A number of Fortune 100 companies involved in research and development of chemical compounds and advanced materials were targeted as part of the attacks, codenamed Nitro, Symantec reported.

The group, a member of which Symantec spoke to in order to gain a greater understanding of the attacks, sought to gain intellectual property by placing a Remote Access Tool (RAT) Trojan known as Poison Ivy onto targets' machines.

Typically, their primary goal is to obtain domain administrator credentials and/or gain access to a system storing intellectual property.

"First, when a specific recipient was targeted, the mails often purported to be meeting invitations from established business partners. Secondly, when the emails were being sent to a broad set of recipients, the mails purported to be a necessary security update," the Symantec report explained.

"The emails then contained an attachment that was either an executable that appeared to be a text file based on the file name and icon, or a password-protected archive containing an executable file with the password provided in the email."

Once the file was opened, the Poison Ivy malware would install itself on the victim's system and start communicating with a C&C server on TCP port 80 using an encrypted communication protocol.

"Using the C&C server, the attackers then instructed the compromised computer to provide the infected computer's IP address, the names of all other computers in the workgroup or domain and dumps of Windows cached password hashes," the Symantec report continued.

"By using access to additional computers through the currently logged on user or cracked passwords through dumped hashes, the attackers then began traversing the network infecting additional computers. Typically, their primary goal is to obtain domain administrator credentials and/or gain access to a system storing intellectual property."

A nations state attack?

The motives and backing of the hacking group behind Nitro remain unclear, despite some indicative information uncovered by Symantec.

The majority (27 per cent) of the infected machines identified by the security giant were located in the US, with 20 per cent in Bangladesh and 14 per cent in the UK. However, Symantec said the attackers were not targeting organisations in any particular country, as the geographical spread of hits was varied.

Instead, the security company suggested attackers were either going after sites, or individuals in certain sites, which they knew had access to particular data. The attackers may also simply have been targeting the lowest hanging fruit and attempting to dupe those with weak security, Symantec said.

Whilst China was mentioned in the report the member of the hacking group responsible from Nitro was based in the Hebei region there was no evidence to suggest a nation state was, or was not, behind the attacks.

Nevertheless, the hackers involved in Nitro targeted other industries outside of the chemical sector, making the case for a nation state's involvement more likely.

They targeted another 19 companies, most of which were in the defence industry, Symantec said.