"Nitro" spear-phishers attacked chemical and defense company R&D (creepy article)

Symantec has revealed that at least 50 companies, many of them in the defense and chemical industries, have been attacked in a spear-phishing attack aimed at stealing research and development data. The “Nitro” attacks, as Symantec called them, started in late July, and lasted through September, according to a Symantec report (PDF). But the infrastructure used for command and control and other aspects of the attacks were used in another, earlier wave dating at least back to April, which was focused on human rights groups.

There is no known connection to the phishing attacks on RSA earlier this year. And it remains unclear whether the attacks were made by a single individual or group, though it appears the attack came from China. Analysts traced the attack back to a $32-a-month virtual private server in the US, owned by a “20-something male located in the Hebei region of China,” and found traffic being sent back to the network from 52 different organizations in 20 countries, 12 of them based in the US.

Spear phishing is a form of e-mail based attack that is carefully tailored to individuals at the target organization, usually disguised as a file-attachment that appears to be from someone the individual knows. In the Nitro attacks, the attackers used several approaches, but relied largely on two types of phishing: posing as a known business partner and sending what appeared to be a meeting invitations, or hitting a larger number of targets with an email “purporting to be a security update,” according to Symantec’s Eric Chien and Gavin O’Gorman. The attacks included executable files that were disguised as text files, or as password-protected archives. In both cases, the file would execute when opened, installing a program called PoisonIvy—a backdoor developed by a “Chinese speaker,” according to the Symantec report.

The backdoor then sent back the IP address of the infected computer, the names of other computers visible in the Windows workgroup the computer was in, and Windows cached password hashes. This allowed the hackers to remotely control the system, possibly even downloading additional tools to attack from within the network, and infect other computers in an attempt to gain administrative credentials and access to servers containing sensitive data.


http://arstechnica.com/business/news/2011/11/nitro-spear-phishers-attacked-chemical-and-defense-company-rd.ars


We spend BILLIONS in the Middle East controlling the Brown people, and a guy with a $32 a month server is stealing our future. Great choice Defense Department.

Comes to the providers with a nice source of kick backs. But internet security - a new realm.

Once the figure out how to skim a lot of the top from that source, there will be more attemtps to heighten internet security. Not that that security will work any better than many of our failed attempts at putting together new defense aircraft, weaponry or vehicles, though.