This document discusses a recent targeted attack campaign directed primarily at private companies involved in the research, development, and manufacture of chemicals and advanced materials. The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. Attacks on the chemical industry are merely their latest attack wave. As part of our investigations, we were also able to identify and contact one of the attackers to try and gain insights into the motivations behind these attacks. As the pattern of chemical industry targets emerged, we internally codenamed the attack campaign Nitro.
The attack wave started in late July 2011 and continued into mid-September 2011. However, artifacts of the attack wave such as Command and Control (C&C) servers are also used as early as April 2011 and against targets outside the chemical industry. The purpose of the attacks appears to be industrial espionage, collecting intellectual property for competitive advantage.
The attackers have changed their targets over time. From late April to early May, the attackers focused on human rights related NGOs. They then moved on to the motor industry in late May. From June until mid-July no activity was detected. At this point, the current attack campaign against the chemical industry began. This particular attack has lasted much longer than previous attacks, spanning two and a half months.
A total of 29 companies in the chemical sector were confirmed to be targeted in this attack wave and another 19 in various other sectors, primarily the defense sector, were seen to be affected as well. These 48 companies are the minimum number of companies targeted and likely other companies were also targeted. In a recent two week period, 101 unique IP addresses contacted a command and control server with traffic consistent with an infected machine. These IPs represented 52 different unique Internet Service Providers or organizations in 20 countries.
Companies affected include:
- Multiple Fortune 100 companies involved in research and development of chemical compounds and advanced materials.
- Companies that develop advanced materials primarily for military vehicles.
- Companies involved in developing manufacturing infrastructure for the chemical and advanced materials industry.
The attacks were traced back to a computer system that was a virtual private server (VPS) located in the United States. However, the system was owned by a 20-something male located in the Hebei region in China. We internally have given him the pseudonym of Covert Grove based on a literal translation of his name. He attended a vocational school for a short period of time specializing in network security and has limited work experience, most recently maintaining multiple network domains of the vocational school.
Covert Grove claimed to have the U.S.-based VPS for the sole purpose of using the VPS to log into the QQ instant message system, a popular instant messaging system in China. By owning a VPS, he would have a static IP address. He claims this was the sole purpose of the VPS. And by having a static IP address, he could use a feature provided by QQ to restrict login access to particular IP addresses. The VPS cost was RMB200 (US$32) a month. While possible, with an expense of RMB200 a month for such protection and the usage of a U.S.-based VPS, the scenario seems suspicious. We were unable to recover any evidence the VPS was used by any other authorized or unauthorized users. Further, when prompted regarding hacking skills, Covert Grove immediately provided a contact that would perform ‘hacking for hire’. Whether this contact is merely an alias or a different individual has not been determined.
We are unable to determine if Covert Grove is the sole attacker or if he has a direct or only indirect role. Nor are we able to definitively determine if he is hacking these targets on behalf of another party or multiple parties.
Here is a little gem (missed by many) in Symantec's Nitro Attacks Report....
"Figure 2 shows the country of origin of the organizations targeted by these attacks. While the US and UK again figure highly here, overall the geographical spread is different. This means that the infected computers are rarely located within the organizations’ headquarters or country of origin."In attempting to explain this, Symantec misses one another option: attackers like to target people that share their native language - making for easier social engineering attacks.