Security software giant Symantec isn't naming any names, but it reported Tuesday that it's been tracking an ongoing cyber-attack against what sound like companies Buzz readers might recognize. Chinese malware has been snooping around the computer networks of, as Symantec put it:
"Multiple Fortune 100 companies involved in research and development of chemical compounds and advanced materials.The report said some 19 total companies "in the defense sector" were targeted in the hacking campaign, which apparently was designed to sniff out "intellectual property such as design documents, formulas, and manufacturing processes." Symantec's report goes into fascinating detail about who its investigators believe was responsible for the hacks and how they worked, and key parts of it are well worth excerpting.
• Companies that develop advanced materials primarily for military vehicles.
• Companies involved in developing manufacturing infrastructure for the chemical and advanced materials industry."
First, the who:
The attacks were traced back to a computer system that was a virtual private server (VPS) located in the United States. However, the system was owned by a 20-something male located in the Hebei region in China. We internally have given him the pseudonym of Covert Grove based on a literal translation of his name. He attended a vocational school for a short period of time specializing in network security and has limited work experience, most recently maintaining multiple network domains of the vocational school.Maybe this upstanding young citizen is just a big chemistry buff and his hobby is studying the composition of the armor plating on U.S. military vehicles, right? Well, it's one theory. So how was Covert Grove able to get his malware into these defense firms' systems? Simple emails:
Covert Grove claimed to have the U.S.-based VPS for the sole purpose of using the VPS to log into the QQ instant message system, a popular instant messaging system in China. By owning a VPS, he would have a static IP address. He claims this was the sole purpose of the VPS. And by having a static IP address, he could use a feature provided by QQ to restrict login access to particular IP addresses. The VPS cost was RMB200 (US$32) a month. While possible, with an expense of RMB200 a month for such protection and the usage of a US-based VPS, the scenario seems suspicious. We were unable to recover any evidence the VPS was used by any other authorized or unauthorized users. Further, when prompted regarding hacking skills, Covert Grove immediately provided a contact that would perform ‘hacking for hire’. Whether this contact is merely an alias or a different individual has not been determined. We are unable to determine if Covert Grove is the sole attacker or if he has a direct or only indirect role. Nor are we able to definitively determine if he is hacking these targets on behalf of another party or multiple parties.
The attackers first researched desired targets and then sent an email specifically to the target. Each organization typically only saw a handful of employees at the receiving end of these emails. However, in one organization almost 500 recipients received a mail, while in two other organizations, more than 100 were selected. While the attackers used different pretexts when sending these malicious emails, two methodologies stood out. First, when a specific recipient was targeted, the mails often purported to be meeting invitations from established business partners. Secondly, when the emails were being sent to a broad set of recipients, the mails purported to be a necessary security update. The emails then contained an attachment that was either an executable that appeared to be a text file based on the file name and icon, or a password-protected archive containing an executable file with the password provided in the email. In both cases, the executable file was a self-extracting executable containing PoisonIvy, a common backdoor Trojan developed by a Chinese speaker.Diabolical! And it all just goes back to the same old lesson -- be careful when you download attachments!
When the recipient attempted to open the attachment, they would inadvertently execute the file, causing PoisonIvy to be installed. Once PoisonIvy was installed, it contacted a C&C server on TCP port 80 using an encrypted communication protocol. Using the C&C server, the attackers then instructed the compromised computer to provide the infected computer’s IP address, the names of all other computers in the workgroup or domain, and dumps of Windows cached password hashes.
By using access to additional computers through the currently logged on user or cracked passwords through dumped hashes, the attackers then began traversing the network infecting additional computers. Typically, their primary goal is to obtain domain administrator credentials and/or gain access to a system storing intellectual property. Domain administrator credentials make it easier for the attacker to find servers hosting the desired intellectual property and gain access to the sensitive materials. The attackers may have also downloaded and installed additional tools to penetrate the network further.