DonsDeals Blog: The Nitro Attacks Stealing Secrets from the Chemical Industry

The Nitro Attacks Stealing Secrets from the Chemical Industry.

By Eric Chien and Gavin O’Gorman.

Introduction

This document discusses a recent targeted attack campaign directed primarily at private companies involved in the research, development, and manufacture of chemicals and advanced materials. The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. At-tacks on the chemical industry are merely their latest attack wave. As part of our investigations, we were also able to identify and con-tact one of the attackers to try and gain insights into the motivations behind these attacks. As the pattern of chemical industry tar-gets emerged, we internally code-named the attack campaign Nitro. The attack wave started in late July 2011 and continued into mid-September 2011. However, artifacts of the attack wave such as Command and Control (C&C) servers are also used as early as April 2011 and against targets outside the chemical industry The purpose of the attacks appears to be industrial espionage, collecting intellectual property for competitive advantage. Targets The attackers have changed their targets over time. From late April to early May, the attackers focused on human rights related NGOs. They then moved on to the motor industry in late May. From June until mid-July no activity was detected. At this point, the current attack campaign against the chemical industry began. This particular attack has lasted much longer than previous attacks, spanning two and a half months. A total of 29 companies in the chemical sector were confirmed to be targeted in this attack wave and another 19 in various other sectors, primarily the defense sector, were seen to be affected as well. These 48 companies are the minimum number of companies targeted and likely other companies were also targeted. In a recent two week period, 101 unique IP addresses contacted a command and control server with traffic consistent with an infected machine. These IPs represented 52 different unique Internet Service Providers or organizations in 20 countries. Companies affected include: Multiple Fortune 100 companies involved in research and development of chemical compounds and advanced materials. Companies that develop advanced materials primarily for military vehicles. Companies involved in developing manufacturing infrastructure for the chemical and advanced materials industry. Attack methodology The attackers first researched desired targets and then sent an email specifically to the target. Each organization typically only saw a handful of employees at the receiving end of these emails. However, in one organization almost 500 recipients received a mail, while in two other organizations, more than 100 were selected. While the attackers used different pretexts when sending these malicious emails, two methodologies stood out. First, when a specific recipient was targeted, the mails often purported to be meeting invitations from established business partners. Secondly, when the emails were being sent to a broad set of recipients, the mails purported to be a necessary security update. The emails then contained an attachment that was either an executable that appeared to be a text file based on the file name and icon, or a password-protected archive containing an executable file with the password provided in the email. In both cases, the executable file was a self-extracting executable containing PoisonIvy, a common backdoor Trojan developed by a Chinese speaker. When the recipient attempted to open the attachment, they would inadvertently execute the file, causing Poi-sonIvy to be installed. Once PoisonIvy was installed, it contacted a C&C server on TCP port 80 using an encrypt-ed communication protocol. Using the C&C server, the attackers then instructed the compromised computer to provide the infected computer’s IP address, the names of all other computers in the workgroup or domain, and dumps of Windows cached password hashes. By using access to additional computers through the currently logged on user or cracked passwords through dumped hashes, the attackers then began traversing the network infecting additional computers. Typically, their primary goal is to obtain domain administrator credentials and/or gain access to a system storing intellectual property. Domain administrator credentials make it easier for the attacker to find servers hosting the desired intellectual property and gain access to the sensitive materials. The attackers may have also downloaded and installed additional tools to penetrate the network further. While the behavior of the attackers differs slightly in each compromise, generally once the attackers have identified the desired intellectual property, they copy the content to archives on internal systems they use as internal staging servers. This content is then uploaded to a remote site outside of the compromised organization completing the attack. Page 2 The Nitro Attacks: Stealing Secrets from the Chemical Industry Security Response Geographic Spread Figure 1 shows the location of infected computers. This data is derived from the IP addresses of machines connecting back to the command and control server The majority of infected machines are located in the US, Bangladesh and the UK; however, overall there is wide geographical spread of infections. Figure 1 Geographic location of infected computers Figure 2 shows the country of origin of the organizations targeted by these at-tacks. While the US and UK again figure highly here, overall the geographical spread is different. This means that the infected computers are rarely located within the organizations’ headquarters or country of origin. Figure 2 Country of origin of targeted organizations* 2 Denmark UK 5 USA 12 Belgium 1 1 Netherlands 1 Italy 1 Japan 1 Saudi Arabia *Additional confirmed infections exist; however, they did not contact the command and control server during the two-week period we were monitoring it. Page 3 Security Response The Nitro Attacks: Stealing Secrets from the Chemical Industry There are two possible explanations for this: The attackers are targeting sites, or individuals in certain sites, which they know have access to certain data that is of interest to the attacker. The attackers are targeting sites or individuals that they believe have less security measures in place and are therefore an easier access point into the victims’ networks. We can conclude that the attackers are not targeting organizations in a particular country. Attribution The attacks were traced back to a computer system that was a virtual private server (VPS) located in the United States. However, the system was owned by a 20-something male located in the Hebei region in China. We internally have given him the pseudonym of Covert Grove based on a literal translation of his name. He attended a vocational school for a short period of time specializing in network security and has limited work experience, most recently maintaining multiple network domains of the vocational school. Covert Grove claimed to have the U.S.-based VPS for the sole purpose of using the VPS to log into the QQ instant message system, a popular instant messaging system in China. By owning a VPS, he would have a static IP ad-dress. He claims this was the sole purpose of the VPS. And by having a static IP address, he could use a feature provided by QQ to restrict login access to particular IP addresses. The VPS cost was RMB200 (US$32) a month. While possible, with an expense of RMB200 a month for such protection and the usage of a US-based VPS, the scenario seems suspicious. We were unable to recover any evidence the VPS was used by any other authorized or unauthorized users. Further, when prompted regarding hacking skills, Covert Grove immediately provided a contact that would perform ‘hacking for hire’. Whether this contact is merely an alias or a different individual has not been determined. We are unable to determine if Covert Grove is the sole attacker or if he has a direct or only indirect role. Nor are we able to definitively determine if he is hacking these targets on behalf of another party or multiple parties. Technical details As mentioned above, the threat used to compromise the targeted networks is Poison Ivy, a Remote Access Tool (RAT). This application is freely available from poisonivy-rat.com. It comes fully loaded with a number of plug-ins to give an attacker complete control of the compromised computer. Delivery The method of delivery has changed over time as the attackers have changed targets. Older attacks involved a self-extracting archive with a suggestive name, for example: “Human right report of north Africa under the war. scr”. The most recent attacks focusing on the chemical industry are using password-protected 7zip files which, when extracted, contain a self-extracting executable. The password to extract the 7zip file is included in the email. This extra stage is used to prevent automated systems from extracting the self-extracting archive. Some example file names using this technique include: AntiVirus_update_package.7z acquisition.7z offer.7z update_flashplayer10ax.7z Page 4 The Nitro Attacks: Stealing Secrets from the Chemical Industry Security Response An example of an email used to send the attachment can be seen in figure 3. Figure 3 Malicious email The email is quite generic, applicable to any corporate user. Some of the subject lines will vary and may include the name of the targeted company in an attempt to be more convincing.

Threat details...

Download the PDF from Symantec to Read more and see Graphics...
In a paper published today, 10-31-2011 (download PDF). Symantec researchers spelled out their analysis of the Nitro attacks and the use of Poison Ivy.

Build Your Own Report | Symantec (my selections)...
http://www.symantec.com/business/threatreport/print.jsp?id=threat_activity,vulnerabilities,malicious_code,fraud_activity,threat_activity_trends_introduction,malicious_activity_by_source,web_based_attack_prevalence,web_based_att ack_activity,malicious_websites_by_search_term,data_breaches,malicious_shortened_urls,bot_infected_computers,vulnerability_trends_introduction,total_number_of_vulnerabilities,browser_vulnerabilities,browser_window_of_exposure,browser_plug_in_vulnerabilities,zero_day_vulnerabilities,scada_vulnerabilities,malicious_code_trends_introduction,top_malicious_code_families,malicious_code_features,malicious_code_types_by_region,confidential_information_threats,propagation_mechanisms,enterprise_best_practices,consumer_best_practices

Don