* Security firm Symantec uncovers "Nitro" cyber attack
* Says at least 29 chemicals firms, 19 others targeted
* Some targets develop materials for military vehicles
* Symantec traces attacks to man in Hebei, China
By Jim Finkle
Oct 31 At least 48 chemical and defense
companies were victims of a coordinated cyber attack that has
been traced to a man in China, according to a new report from
security firm Symantec Corp (SYMC.O).
Computers belonging to these companies were infected with
malicious software known as "PoisonIvy," which was used to
steal information such as design documents, formulas and
details on manufacturing processes, Symantec said on Monday.
It did not identify the companies, but said they include
multiple Fortune 100 corporations that develop compounds and
advanced materials, along with businesses that help manufacture
infrastructure for these industries.
The bulk of the infected machines were based in the United
States and United Kingdom, Symantec said, adding that the
victims include 29 chemicals companies, some of which developed
advanced materials used in military vehicles.
"The purpose of the attacks appears to be industrial
espionage, collecting intellectual property for competitive
advantage," Symantec said in a white paper on the campaign,
which the company dubbed the "Nitro" attacks.
The cyber campaign ran from late July through mid-September
and was traced to a computer system in the United States that
was owned by a man in his 20s in Hebei province in northern
China, according to Symantec.
Researchers gave the man the pseudonym "Covert Grove" based
on a literal translation of his name. They found evidence that
the "command and control" servers used to control and mine data
in this campaign were also used in attacks on human-rights
groups from late April to early May, and in attacks on the
motor industry in late May, Symantec said.
"We are unable to determine if Covert Grove is the sole
attacker or if he has a direct or only indirect role," said
Symantec's white paper. "Nor are we able to definitively
determine if he is hacking these targets on behalf of another
party or multiple parties."
The Nitro campaign is the latest in a series of highly
targeted cyber attacks that security experts say are likely the
work of government-backed hackers.
Intel Corp's (INTC.O) security unit McAfee in August
identified "Operation Shady RAT," a five-year coordinated
campaign on the networks of 72 organizations, including the
United Nations, governments and corporations. [ID:nL3E7J32UM]
In February, McAfee warned that hackers working in China
broke into the computer systems of five multinational oil and
natural gas companies to steal bidding plans and other critical
proprietary information. [ID:nTOE71905Z]
Symantec said on Monday that the Nitro attackers sent
emails with tainted attachments to between 100 and 500
employees at a company, claiming to be from established
business partners or to contain bogus security updates.
When an unsuspecting recipient opens the attachment, it
installs "PoisonIvy," a Remote Access Trojan (RAT) that can
take control of a machine and that is easily available over the
Internet.
While the hackers' behavior differed slightly in each case,
they typically identified desired intellectual property, copied
it and uploaded it to a remote server, Symantec said in its
report.
Symantec did not identify the companies that were targeted
in its white paper and researchers could not immediately be
reached.
Dow Chemical Co (DOW.N) said it detected "unusual e-mails
being delivered to the company" last summer and worked with law
enforcers to address this situation.
"We have no reason to believe our operations were
compromised, including safety, security, intellectual property,
or our ability to service our customers," a Dow spokesman
said.
A spokesman for DuPont (DD.N) declined to comment.
(Reporting by Jim Finkle. Additional reporting by Matt
Daily and Ernest Scheyder; Editing by Gerald E. McCormick and
Richard Chang)