Report details defense industry cyber attack

Report details defense industry cyber attack

By Philip Ewing Tuesday, November 1st, 2011 1:43 pm
Posted in Cyber Security

Security software giant Symantec isn’t naming any names, but it reported Tuesday that it’s been tracking an ongoing cyber-attack against what sound like companies Buzz readers might recognize. Chinese malware has been snooping around the computer networks of, as Symantec put it:

“Multiple Fortune 100 companies involved in research and development of chemical compounds and advanced materials.

• Companies that develop advanced materials primarily for military vehicles.


• Companies involved in developing manufacturing infrastructure for the chemical and advanced materials industry.”

The report said some 19 total companies “in the defense sector” were targeted in the hacking campaign, which apparently was designed to sniff out “intellectual property such as design documents, formulas, and manufacturing processes.” Symantec’s report goes into fascinating detail about who its investigators believe was responsible for the hacks and how they worked, and key parts of it are well worth excerpting.

First, the who:

The attacks were traced back to a computer system that was a virtual private server (VPS) located in the United States. However, the system was owned by a 20-something male located in the Hebei region in China. We internally have given him the pseudonym of Covert Grove based on a literal translation of his name.  He attended a vocational school for a short period of time specializing in network security and has limited work experience, most recently maintaining multiple network domains of the vocational school.

Covert Grove claimed to have the U.S.-based VPS for the sole purpose of using the VPS to log into the QQ instant message system, a popular instant messaging system in China. By owning a VPS, he would have a static IP address. He claims this was the sole purpose of the VPS. And by having a static IP address, he could use a feature provided by QQ to restrict login access to particular IP addresses. The VPS cost was RMB200 (US$32) a month. While possible, with an expense of RMB200 a month for such protection and the usage of a US-based VPS, the scenario seems suspicious. We were unable to recover any evidence the VPS was used by any other authorized or unauthorized users. Further, when prompted regarding hacking skills, Covert Grove immediately provided a contact that would perform ‘hacking for hire’. Whether this contact is merely an alias or a different individual has not been determined. We are unable to determine if Covert Grove is the sole attacker or if he has a direct or only indirect role. Nor are we able to definitively determine if he is hacking these targets on behalf of another party or multiple parties.

Maybe this upstanding young citizen is just a big chemistry buff and his hobby is studying the composition of the armor plating on U.S. military vehicles, right? Well, it’s one theory. So how was Covert Grove able to get his malware into these defense firms’ systems? Simple emails:

The attackers first researched desired targets and then sent an email specifically to the target. Each organization typically only saw a handful of employees at the receiving end of these emails. However, in one organization almost 500 recipients received a mail, while in two other organizations, more than 100 were selected. While the attackers used different pretexts when sending these malicious emails, two methodologies stood out. First, when a specific recipient was targeted, the mails often purported to be meeting invitations from established business partners. Secondly, when the emails were being sent to a broad set of recipients, the mails purported to be a necessary security update. The emails then contained an attachment that was either an executable that appeared to be a text file based on the file name and icon, or a password-protected archive containing an executable file with the password provided in the email. In both cases, the executable file was a self-extracting executable containing PoisonIvy, a common backdoor Trojan developed by a Chinese speaker.

When the recipient attempted to open the attachment, they would inadvertently execute the file, causing PoisonIvy to be installed.  Once PoisonIvy was installed, it contacted a C&C server on TCP port 80 using an encrypted communication protocol. Using the C&C server, the attackers then instructed the compromised computer to provide the infected computer’s IP address, the names of all other computers in the workgroup or domain, and dumps of Windows cached password hashes.

By using access to additional computers through the currently logged on user or cracked passwords through dumped hashes, the attackers then began traversing the network infecting additional computers. Typically, their primary goal is to obtain domain administrator credentials and/or gain access to a system storing intellectual property. Domain administrator credentials make it easier for the attacker to find servers hosting the desired intellectual property and gain access to the sensitive materials. The attackers may have also downloaded and installed additional tools to penetrate the network further.

Diabolical! And it all just goes back to the same old lesson — be careful when you download attachments!

h/t: CNET

Join the Conversation

itfunk November 2nd, 2011 at 12:17 am

Sounds like the sort of entrepreneurial hacking reminiscent of what we were known for in the 19th century. The Europeans complained loudly about us ripping off their IP. Now we just rip off things we could never make like French films on a regular basis. The liability some of our media companies have to Europe should some of the more draconian IP law be passed is staggering.

Whether it’s the Greeks complaining about the Romans or Americans complaining about the Chinese the history is clear. IP is a race not a vault, you can only compete by being faster not trying to lock stuff up. Chinese companies see their innovations spread to their competitors in 6 months. This makes them much stronger and more competitive than companies hiding behind US IP law and the resultant golden goose mentality.

DC2 Jennings November 2nd, 2011 at 10:50 am

Please provide one innovation from a Chinese company because I cannot think of one.

DensityDuck November 2nd, 2011 at 2:47 pm

So, despite everyone’s cloak-and-dagger fantasizing about Stuxnet and RF hacking and stolen keys and man-in-the-middle skullduggery and whatever else, the key to a massive security breach was good old “hey this is important file, you should click right away!!”

El Guero - Guest November 2nd, 2011 at 11:42 pm

Their strategy makes sense to me. Avoid the R&D and testing costs… Good for the bottom line! All for RMB200 a month? No brainer.

bmobgnillafeerf November 4th, 2011 at 6:40 am

Text excerpt: “Maybe this upstanding young citizen is just a big chemistry buff and his hobby is studying the composition of the armor plating on U.S. military vehicles, right?”

And maybe all those small teams of half-U.S. American, athletic bikers in military age who constantly stray across the Iranian border due to navigation mistakes are really just students on foreign vacations, right?

*required

NOTE: Comments are limited to 2500 characters and spaces.

By commenting on this topic you agree to the terms and conditions of our User Agreement