PoisonIvy RAT used to extract data from chemical and defense firms

By on October 31, 2011, 4:00 PM

Symantec Corp has revealed that a coordinated cyber attack targeted at least 48 chemical and defense companies in the US, Bangladesh and the UK. The source of the attack has been traced to a man in China, according to the report.

Computers at each company were hit with a software tool known as “PoisonIvy”, a readily-available Remote Access Trojan that facilitated the theft of information including design documents, formulas and details about manufacturing processes.

Symantec didn’t name the companies affected but it did say that several of them were Fortune 100 corporations. Additionally, 29 victims were chemical companies and some of those affected develop advanced materials used by the military. The attacks were carried out from July through mid September.

The security firm believes that the attacks appear to be industrial espionage, essentially an attempt to collect sensitive material to give competitors an advantage. The person in question has been given the nickname Covert Grove and is believed to be responsible for attacks on human-rights groups and the automotive industry in April and May. The chemical campaign, dubbed the “Nitro” attacks, was traced to a man in his 20s in Hebei province in northern China.

"We are unable to determine if Covert Grove is the sole attacker or if he has a direct or only indirect role," said Symantec in a published report. "Nor are we able to definitively determine if he is hacking these targets on behalf of another party or multiple parties."

PoisonIvy was sent to multiple recipients of each company via email with an attachment that installed the program unknowingly. The email was forged to look like it came from an established business partner or as an essential security update.

Images via luchschen, angelo gilardelli / Shutterstock




User Comments: 14

Got something to say? Post a comment
TomSEA TomSEA, TechSpot Chancellor, said:

So where's China's obligatory and standard, "it wasn't us" comment?

Guest said:

So this is what passes in the intelligence community as a Significant and Sustained Cyber Attack, one lone guy in china sending out a trojan horse program called Poison-Ivy to a couple of Windows users who are too stupid to not click the attachment. Perhaps he should have used LostDoor instead, from what I know that one actually spreads on a USB stick.

Guest said:

God forbid the intelligence community ever gain any.. Intelligence that is, if they did they would probably be screaming at the people providing them with Platinum SSL Certificates that they're paying in excess of $199.00 a year for - that do absolutely nothing, only today I was showing another security researcher just how badly broken SSL Certification actually is... But they are oblivious to just how badly it's actually broken because they lack the intelligence to understand it!

Mindwraith said:

so america is developing chemicals for use by the military? that's comforting........

Guest said:

Lets just take a wild stab in the dark here, which anti-virus firm where these firms that have all supposedly been hacked into relying upon for there protection? Would it be the same anti-virus firm selling them VeriSign Security Certificates for in excess of $199.00 a year per license per desktop?!

Technolust said:

Heres something for VeriSign and the intelligence community to put in their pipe and smoke.

Certification path for "www.symantec.com"

Subject: OID.1.3.6.1.4.1.311.60.2.1.3=US,OID.1.3.6.1.4.1.311.60.2.1.2
Delaware,OID.2.5.4.15=Private Organization,serialNumber=2158113,C=US,postalCode=94043,ST=C
lifornia,L=Mountain View,OID.2.5.4.9=350 Ellis Street,O=Symantec Corporation,OU=IT Security,CN=www.symantec.com

Issuer: C=US,O="VeriSign, Inc.",OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)06,CN=VeriSign Class 3 Extended Validation SSL SGC CA

Validity: from 16/08/11 00:00:00 UTC to 15/08/12 23:59:59 UTC

-----BEGIN CERTIFICATE-----

Long story short, I can steal and re-sign your security certificates and then re-issue them to who ever I want because the authenticity part designed by its creator was in his own words a hand-wave!

-----END CERTIFICATE-----

Technolust said:

Thats what I call NEWS.. Not listening to how some old chinese guy sent loads of dumb asses a trojan that they then **double-clicked**

aj_the_kidd said:

Mindwraith said:

so america is developing chemicals for use by the military? that's comforting........

Most of the time the military buys goods off public and private companies rather then making it in-house, it cost less to buy then to own and produce themselves

Back on topic, i know of a couple of very intelligent people that are shockingly technologically inept, its actually quite mind boogling

Technolust said:

I know people like that, I've met a quite a few.

Zilpha Zilpha said:

Laugh. out. loud.

That's really all I have to say about that.

Guest said:

Err.... Do you even know how public-private keys work at all? If not, please don't scare the public. And please go ahead and reissue the cert, and see if any browser would just accept it.

Burty117 Burty117, TechSpot Chancellor, said:

aj_the_kidd said:

i know of a couple of very intelligent people that are shockingly technologically inept, its actually quite mind boogling

+1 on that, I know someone who can speak several different lauguages, got A+ in everything at school and she really does know alot, however, put out a laptop in front of her and she might as well just dribble on it. She struggles to tell the difference between the "Internet" and "Internet Explorer" Or the concept of a different browser. Installing a program is pretty much impossible and anything other than facebook is pretty much a no go.

Win7Dev said:

Mindwraith said:

so america is developing chemicals for use by the military? that's comforting........

Chemicals could mean a lubricant for gears or something, who ever said what their for. Thermal paste is a chemical, and a very useful one too.

I know most people will probably say the chemicals aren't being made for safe uses. As if every other country isn't doing the same thing...

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.