'Nitro' Botnet Targeted More Than 48 Companies
Close to 50 industrial companies were attacked in recent months by a readily available Trojan designed for information gathering.
The so-called "nitro" attackers used the "Poison Ivy" malware, which can easily be obtained on the Internet, according to a Symantec report, "The Nitro Attacks: Stealing Secrets from the Chemical Industry." The security solution vendor investigated an attack that targeted 29 companies in the chemical sector and another 19 in defense-related sectors between July and September of this year.
E-mail containing the Trojan was sent to individuals in the targeted companies. After the malware was installed, it used an encrypted communication protocol to contact a command-and-control server to store information. The botnet harvested the infected system's IP address, information about other computers connected to the same network and Windows-cached password hashes. With that data in place, the attackers could gain access to a wide range of company information.
"While the behavior of the attackers differs slightly in each compromise, generally once the attackers have identified the desired intellectual property, they copy the content to archives on internal systems they use as internal staging servers," said Symantec in the report. "This content is then uploaded to a remote site outside of the compromised organization completing the attack."
The report outlined that the United States had 27 computers from a handful of companies infected due to the "nitro" attack -- more than any other country. However, the attacks were spread across the globe, with Bangladesh (20 infected systems) and the United Kingdom (14 infected systems) rounding out the top three targeted countries.
Symantec traced the point of attack to a computer with a virtual private server located in the United States, but the report alleges that the attacker is located in China. He is a "20-something male located in the Hebei region in China" that goes by the pseudonym of Covert Grove, according to Symantec's report. The attacker advertises himself as a "hacker for hire" and he was the one who accessed the U.S. server, Symantec's report claims, but it's unclear if he acted alone.
The hands-on aspect in this case makes the nitro attacks different from comparable cases, such as the attacks associated with this year's high-profile takedowns of Rustock and Kelihos botnets.
"When the Poison Ivy backdoor connects to the attackers' command and control infrastructure there is a human at the other end that can begin exploring the compromised computer and the network to which it belongs," wrote Nart Villeneuve, senior threat researcher at TrendLabs, in a blog post. "This attacker can steal information, install additional malware and compromise other machines on the same network. Most importantly, the human on the other end of the Poison Ivy Trojan can react to defensive measures taken by the victim."
Instead of sending out millions of e-mails blanketed over the globe to extract unspecified personal information, this attack had clear targets and a precise goal. Villeneuve suggests that the lesson learned from a focused attack such as this one is that companies need to devise a comprehensive security strategy for their data. Not only should they focus on blocking access to such malware by end users but they should also secure any servers storing sensitive corporate information.
"Since such attacks focus on the acquisition of sensitive data, strategies that focus on protecting the data itself, wherever it resides, are extremely important components of defense," wrote Villeneuve. "By effectively using threat intelligence derived from external and internal sources combined with context-aware data protection and security tools that empower and inform human analysts, organizations are better positioned to detect and mitigate targeted attacks."