Infrastructure protectionChemical industry hit by “Nitro” cyberattacks

Published 9 November 2011

In a string of cyberattacks, hackers have stolen critical formulas and plans from major chemical companies; the latest attacks, dubbed “Nitro,” were uncovered by Symanetec, which reported the hackers aims were corporate espionage rather than a terrorist attempt to procure chemicals

In a string of cyberattacks, hackers have stolen critical formulas and plans from major chemical companies. 

The latest attacks, dubbed “Nitro,” were uncovered by Symanetec, which reported the hackers aims were corporate espionage rather than a terrorist attempt to procure chemicals. 
“The purpose of the attacks appears to be industrial espionage, collecting intellectual property for competitive advantage,” the report said. 
From July to September, the attackers collected intellectual property from chemical firms including design documents, formulas, and manufacturing processes. 
In particular, the hackers targeted major Fortune 100 companies that focused on chemical research and development, companies involved in advanced material research for military vehicles, and those that produce manufacturing infrastructure for the chemical and advanced materials industries.
Since their aim was corporate espionage, Symantec researchers found that the hackers also infiltrated the networks of human rights-related NGOs and the automotive industry. 
A total of twenty-nine chemical companies along with nineteen other firms were hit in the Nitro attacks, but researchers believe there are likely more.
“These forty-eight companies are the minimum number of companies targeted and likely other companies were also targeted,” Symantec said. “In a recent two week period, 101 unique IP addresses contacted a command and control server with traffic consistent with an infected machine. These IPs represented fifty-two different unique Internet Service Providers or organizations in twenty countries.”
The majority of the infected computers were found in the United States, United Kingdom, and Bangladesh. Of the forty-eight companies hacked, twelve were based in the United States. 
According to Symantec, hackers infiltrated the company networks using a phishing attack in which they sent fake emails to employees that tricked them into opening a corrupt file. Researchers found that one email, which was sent to 500 employees at one company, contained PoisonIvy, a common backdoor Trojan created by a Chinese hacker. 
It is unclear exactly who executed the attacks, but researchers were able to trace the attacks to a virtual private server (VPS) housed in the United States, which was owned by a man in China, codenamed Covert Grove.
“We are unable to determine if Covert Grove is the sole attacker or if he has a direct or only indirect role,” the report said. “Nor are we able to definitively determine if he is hacking these targets on behalf of another party or multiple parties.”