'Nitro' hackers use stock malware to steal chemical, defense secrets
Symantec traces one command-and-control server to China
Computerworld - Attackers used an off-the-shelf Trojan horse to sniff out secrets from nearly 50 companies, many of them in the chemical and defense industries, Symantec researchers said today.
The attack campaign -- which Symantec tagged as "Nitro" -- started no later than last July and continued until mid-September, targeting an unknown number of companies and infecting at least 48 firms with the "Poison Ivy" remote-access Trojan (RAT).
Poison Ivy, which was created by a Chinese hacker, is widely available on the Internet, including from a dedicated website.
The malware has been implicated in numerous attacks, including the March campaign that hacked the network of RSA Security and swiped information about that company's SecurID authentication token technology.
In a paper published today (download PDF), Symantec researchers spelled out their analysis of the Nitro attacks and the use of Poison Ivy.
"Nitro wasn't at the level of sophistication of a Stuxnet," said Jeff Wilhelm, a senior researcher with Symantec's security response, in an interview today. "But there are similarities with other advanced threats."
Among those common traits, said Wilhelm, was the attack's narrow focus.
Poison Ivy was planted on Windows PCs whose owners fell for a dodge delivered via email, said Symantec. Those emails, which were delivered in small numbers -- sometimes to only a few people in a company -- touted meeting requests from reputable business partners, or in some cases, as updates to antivirus software or for Adobe Flash Player.
When users fell for the trick and opened the message attachment, they unknowingly installed Poison Ivy on their machines. After that, the attackers were able to issue instructions to the compromised computers, troll for higher-level passwords to gain access to servers hosting confidential information, and eventually offload the stolen content to hacker-controlled systems.
Many of the same techniques, including substantial time spent scouting targets and crafting individual emails, have characterized a number of notable attacks in the last two years, including the 2009-2010 "Aurora" campaign against Google and dozens of other Western firms, and the attacks against RSA this year.
Wilhelm declined to connect the dots between Nitro and the RSA attack, but did admit that there were similarities.
Twenty-nine of the 48 firms that were successfully attacked were in the chemical and advanced materials trade -- some of the latter with connections to military vehicles -- while the other 19 were in a variety of fields, including the defense sector.
A dozen of the targeted organizations were U.S.-based, said Symantec, while five were headquartered in the U.K. and others in Denmark, Italy, the Netherlands and Japan.
Symantec declined to comment on whether the sole Japanese firm was Mitsubishi Heavy, that country's largest defense contractor. Last month, Mitsubishi confirmed that scores of its servers had been infected with malware in August, a time right in the middle of the Nitro two-and-a-half-month run.


- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Driving Secure Enterprise File Sharing and Syncing in the Enterprise
- GroupLogic's new activEcho is the industry's only secure Enterprise File Sharing and Synching solution that balances the need for simplicity for the end...
- The Enterprise File Sharing Option
- Enterprises and IT departments need to address several critical security issues when considering file sharing and syncing products. Many of today's solutions do...
- Security Strategies to Virtualizing Internet-Facing Applications
- The IT organization at Intel has set a goal to transition their enterprise to a private cloud for their Office and Enterprise applications....
- Cloud Security Planning Guide
- Cloud security considerations span protecting hardware and platform technologies in the data center to enabling regulatory compliance and defending cloud access through different...
- Cloud Security Vendor Round Table
- This vendor round table guide will help you to evaluate different cloud technology vendors and service providers based on a series of questions... All Security White Papers
- Live Webcast
Data Privacy and Protection in Production Environments: New Research from Ponemon Institute - Date: Wednesday, June 13, 2012, 1:00 PM EDT / 10:00 AM PDT
In a recent study conducted by Ponemon Institute, fifty-five percent of respondents... - Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- Date: Wednesday, June 13, 2012, 1:00 PM EDT / 10:00 AM PDT
In a recent study conducted by Ponemon Institute, fifty-five percent of respondents... - Security Certifications 101 - BlackBerry and all those acronyms what do they mean and why they matter?
- FIPS, Common Criteria, CAPS, AISEP, NFC, NIST, Fraunhofer SIT, CESG, DSD - these are just some of the government and industry certifications which...
- BlackBerry PlayBook OS 2.0 Security Overview
- The presentation provides an overview of BlackBerry PlayBook OS 2.0 security capabilities and features, including: BlackBerry® Balance™ technology, BlackBerry® Bridge, data-at-rest protection, and...
- BlackBerry NFC Security Overview
- The presentation on NFC security will provide an overview of the security protections built into the BlackBerry platform to protect users, application developers...
- Playing Defense: Staying on Top of Your Disaster Recovery Game
- When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing... All Security Webcasts