Spearphishing the Chemical Industry – Symantec Reports “Nitro” Attacks

On October 31, 2011, Symantec released a whitepaper entitled  The Nitro Attacks: Stealing Secrets from the Chemical Industry.  In the whitepaper, Symantec reports on a hacking attack on 29 chemical companies.  The attack appeared to be aimed at stealing intellectual property related to the research, development and manufacture of chemicals.  These attacks started in July 2011 and continued until mid-September.  The attacks also targeted 19 non-chemical companies, primarily in the defense industry.

Symantec tells us how the systems were compromised:

The attackers first researched desired targets and then sent an email specifically to the target. Each organization typically only saw a handful of employees at the receiving end of these emails. However, in one organization almost 500 recipients received a mail, while in two other organizations, more than 100 were selected. While the attackers used different pretexts when sending these malicious emails, two methodologies stood out. First, when a specific recipient was targeted, the mails often purported to be meeting invitations from established business partners. Secondly, when the emails were being sent to a broad set of recipients, the mails purported to be a necessary security update. The emails then contained an attachment that was either an executable that appeared to be a text file based on the file name and icon, or a password-protected archive containing an executable file with the password provided in the email. In both cases, the executable file was a self-extracting executable containing PoisonIvy, a common backdoor Trojan developed by a Chinese speaker.

Yet again, the means of entry was spearphishing.  The cyberspies are using the same social engineering schemes that were reported in secret State Department cables as early as 2002.  

Regrettably, the tools to improve the criminals’ social engineering craft are becoming more robust every day.   A little internet research yields substantial personal information that can be used to deceive the recipient.  Email is the ideal medium for deception because the attacker has at his command all of the human factors needed to deceive the recipient.  Given the ability of criminals to craft and deliver deceiving emails, email recipients are essentially unarmed in this battle of wits with spearphishers.

Social engineering deceives the users into becoming the agents of the criminals.  What can be done to defend the enterprise against spearphishing?  The enterprise can adopt a tool that identifies trusted email so that the target of the spearphishing attack can distinguish real email from fake email.  That tool is SP Guard from Iconix.

SP Guard Inbox

SP Guard provides the recipient with three confirmations that a message is real:

  1. List View. There is an integrity indicator in the list view of the email client.
  2. Message. The open message has a further indicator of authenticity.
  3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard now offers a fraud filtering enhancement.  This additional protection is becoming increasingly important given the latest generation of highly targeted spear-phishing emails which are so well crafted that users cannot tell real from fake.

SP Guard is available now from Iconix. For further information, contact us at 408-727-6342, ext 3 or use our online form.


Comments are closed.