The Inquirer-Home

Lone man hacked 48 chemical and defence firms

Poisonivy cyber attack spotted by Symantec
Tue Nov 01 2011, 09:15

ONE CHINESE MAN has attacked 48 chemical and defence firms, according to a report by security firm Symantec.

Computers and IT systems were infected by the easy-to-find and use Poisonivy malware, which was then used to take their sensitive information, including design plans and formulas.

A whitepaper published by the firm and called "The Nitro Attacks: Stealing secrets from the Chemical Industry" says that the attack lasted for about two months. It does not name any of the targeted companies, but says that they are big name businesses.

Twenty-nine of the attacked firms are in the chemicals business and a further 19 are in related industries, according to the report (PDF). They include Fortune 100 companies working in research and development of chemical compounds and advanced materials, firms developing advanced materials primarily for military vehicles, and companies involved in developing manufacturing infrastructure for the chemical and advanced materials industry.

In nearly all of the cases a small number of staff were sent an email that included an executable file. This file was written in Chinese, according to the report, and this once again raises the suggestion that China is targeting critical businesses overseas, something that it has vehemently denied. Still, the report at hand suggests that there is a big player behind the assault.

"The attacks were traced back to a computer system that was a virtual private server (VPS) located in the United States. However, the system was owned by a 20-something male located in the Hebei region in China," explained Symantec. The firm is unable to say whether this person, which it has named Covert Grove, is working on his own or on behalf of other parties. The nature of the attacks suggests that the stolen data is of interest to more than just one individual however.

"Typically, their primary goal is to obtain domain administrator credentials and/or gain access to a system storing intellectual property. Domain administrator credentials make it easier for the attacker to find servers hosting the desired intellectual property and gain access to the sensitive materials."

Fourteen of the infected computers were in the UK, according to the report, and 27 were in the US. Others were spread across the globe. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015