Symantec identified a hacker campaign dubbed as “Nitro” where attackers utilized a Trojan horse to steal secrets from almost fifty companies, a majority of whom are under the defense and chemical industries.
Early this week, Symantec revealed that the remote access Trojan (RAT) dubbed as “Poison Ivy” used in the Nitro campaign was made available on the Internet. Nitro’s targeted number of companies was unknown but it infected at least 48 organizations with the use of the Poison Ivy. The attacks started around July and lasted until mid-September.
Out of the 48 successfully attacked firms, 29 were under the chemicals and advanced materials trade with a few of which have connections to military vehicles, the remaining 19 were under multiple fields that included the defense sector. A dozen of the targeted companies are from the United States while five are based in the U.K. The rest are from Italy, Japan, Denmark and the Netherlands.
The malware, created by a Chinese hacker, was also associated with various attacks one of which is the RSA Security network last March. This attack infiltrated the SecurID authentication token technology of the company and stole information.
Symantec’s Jeff Wilhelm said that Nitro was as sophisticated as Stuxnet but it has similarities with other advanced threats. The senior researcher added that the narrow focus of the attack was among those common traits with the advanced threats.
In a report by Symantec, it explained that the Poison Ivy was placed in an email. This bogus email contains updates for an antivirus software or in other cases requests for meetings from respectable business partners while others come as Adobe Flash Player updates. Then these are sent to a few people in a targeted firm. Once users open the message attachment, they unwittingly install the malware on their computers.
When the Poison Ivy is successfully planted on Windows PCs, the hackers can send instructions to access servers hosting confidential information. Then, once the information is stolen it can be passed on to hacker-controlled systems.
The techniques used with Nitro have a lot of similarities with other famous attacks in the previous two years. Among them is the “Aurora” campaign around 2009 to 2010 that targeted Google and other Western firms. And this year is the RSA attack. However, Wilhelm declined to connect these incidents with Nitro but acknowledged that there were similarities.