Nitro hacking attacks explained

The Nitro hacking attacks were a targeted malware campaign in 2011 suspected to be a case of corporate espionage. At least 48 confirmed companies were infected with a Trojan called Poison Ivy that transferred intellectual property to remote servers.[1] Much of the information known about these attacks comes from a white paper published by cybersecurity company Symantec (renamed NortonLifeLock).

Targets

Initial attacks in April and May 2011 targeted human rights organizations, though later in May the focus shifted to automotive companies.[2] Then from July to September another series of breaches occurred with the majority of targets in the chemical and advanced materials industry and the defense sector. The attacks were international, with targeted firms in 20 countries, though the majority were in the U.S., U.K., and Bangladesh.[3]

Methods

The targets seem to have been carefully selected and researched, with spear phishing emails usually going out to only a handful of employees at each company and claiming to be sent from specific business partners or to contain security updates.[4] These emails came with an attachment that infected the user's computer with Poison Ivy, which then allowed attackers to send remote commands and eventually gain access to valuable data. In a strange move, the hackers actually used Symantec's report on their activities as a means to gain victims' trust. After the paper was published, new emails were sent by Nitro that pretended to be from Symantec and contained cursory information about the attack along with an attachment named "the_nitro_attackspdf.7z". This executable file would actually create a PDF of the real Symantec white paper, but would also infect the machine with the remote access Trojan.[5]

Perpetrators

Unusually for a cybersecurity investigation, researchers were able to trace some attacks back to an individual dubbed Covert Grove who owned a U.S.-based virtual private server involved in the campaign, though he operated from Heibei Province, China.[6] The man claimed to only use the server for logging into the QQ instant messaging system and investigators were never able to confirm his direct involvement or connection to any other organization.[7] However, Symantec later attributed to the same Nitro group a series of attacks in 2012 using a Java zero-day vulnerability called CVE-2012-4681.[8]

See also

External links

Notes and References

  1. Web site: Schwartz . Matthew J. . Nitro Malware Targeted Chemical Companies . DARK Reading . 1 November 2011.
  2. Web site: Finkle . Jim . New cyber attack targets chemical firms: Symantec . Reuters . 31 October 2011.
  3. Web site: Gallagher . Sean . "Nitro" spear-phishers attacked chemical and defense company R&D . . 1 November 2011.
  4. Web site: Prince . Brian . Coordinated Cyber Attacks Hit Chemical and Defense Firms . Security Week . 31 October 2011.
  5. Web site: Prince . Brian . Nitro Attackers Pose as Symantec in Attempt to Spread Malware . Security Week . 12 December 2011.
  6. Web site: Keizer . Gregg . 'Nitro' hackers use stock malware to steal chemical, defense secrets . . 31 October 2011.
  7. Web site: Eric Chien . Gavin O'Gorman . The Nitro Attacks: Stealing Secrets from the Chemical Industry . Symantec . https://web.archive.org/web/20191223182949/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf . 23 December 2019 . dead.
  8. Web site: Fisher . Dennis . Use of Java Zero-Day Flaws Tied to Nitro Attack Crew . threatpost . 7 April 2021 . 30 August 2012.