Major attack on chemical and defense companies detected by Symantec

Approaching 50 chemical and defense companies have been the victims of a coordinated cyberattack that has been tracked all the back to single man in China, according to a new report from Symantec
Approaching 50 chemical and defense companies have been the victims of a coordinated cyberattack that has been tracked all the back to single man in China, according to a new report from Symantec

IT systems belonging to these companies were infected with malicious software known as PoisonIvy, and which was used to steal information ranging from design documents, formulas and details on manufacturing processes.

Symantec's report does not identify the companies, but it notes they include multiple Fortune 100 businesses that develop compounds and advanced materials, along with businesses that help manufacture infrastructure for these industries.

The bulk of the infected machines were based in the US and UK, with victims including 29 chemical companies, some of which developed advanced materials used in military vehicles.

According to the report – which was authored by researchers Eric Chien and Gavin O’Gorman – the attackers have changed their targets over time. From late April to early May, the attackers focused on human rights related NGOs. They then moved on to the motor industry in late May.

Then, from June until mid-July of this year, the attacker(s) seemed to take a break – and it was at this point, Symantec says, that the current attack campaign against the chemical industry began. This particular attack has lasted much longer than previous attacks, spanning two and a half months.

“A total of 29 companies in the chemical sector were confirmed to be targeted in this attack wave and another 19 in various other sectors, primarily the defense sector, were seen to be affected as well. These 48 companies are the minimum number of companies targeted and likely other companies were also targeted”, noted the paper.

“In a recent two week period, 101 unique IP addresses contacted a command and control server with traffic consistent with an infected machine. These IPs represented 52 different unique Internet Service Providers or organizations in 20 countries”, the paper added.

Symantec says that numerous targeted attack campaigns are occurring every week, with the attacks primarily targeting private industry in search of key intellectual property for competitive advantage, military institutions, and governmental organizations often in search of documents related to current political events and human rights organizations.

This attack campaign, the IT security firm added, focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs, formulas, and manufacturing processes.

Commenting on the attacks, Mike Smart, product and solutions director for EMEA with SafeNet, said that they appear to be renewed focus on how to protect a company’s most valuable IP from hacking attacks that may be state-sponsored.

“This has included claims about a sophisticated spear phishing and Trojan attack on leading chemical and pharmaceutical companies. While these attacks lead commentators to point out the need for stronger defensive perimeters, it is clear that such attacks are targeting the IP or data itself, which can be further thwarted with deeper, multi-layered security with strong encryption at its core”, he said.

According to Smart, human nature rather than technology is the Achilles heel here, as emails and attachments get opened in the first place as people ‘trust’ the sender or the content looks genuine.

“This is why a multi-layered defense is so critical because it guards against attacks that exploit human error and credulity, and protects the data itself”, he explained.

“But we also mustn’t forget that e-security infrastructure itself must be protected from attacks. Among the many lessons to be learned from this year’s spate of data breaches is the need to deploy encryption and secure the digital keys themselves to mitigate the damage done from these types of attacks”, he said.

Over at Imperva, Rob Rachwald, the firm's director of security strategy, said that every government and private enterprise that sits on sensitive data or intellectual property must recognize that they will be a cyber target.

“Global interconnectivity means it’s cheaper to let someone innovate only to have hackers steal it later. And this arithmetic won’t be changing anytime soon”, he said.

What’s Hot on Infosecurity Magazine?