According to a report from Symantec, dozens of firms in the chemical industry were systematically attacked over a period of two to three months, by a group who started out targeting human rights organizations.
Symantec is calling the attacks Nitro. They started in July, ending about mid-September, and focused on social engineering.
Victims were sent emails containing a Trojan, delivered as meeting invites or security updates, depending on the target. The Trojan opened a backdoor to the infected host, pushing the IP address, Windows password hashes, as well as the computer name for any other infected host within the same domain or workgroup.
Once the passwords were cracked, the attackers had all the access they needed.
“Typically, their primary goal is to obtain domain administrator credentials and/or gain access to a system storing intellectual property,” Symantec said in their report.
“The behavior of the attackers differs slightly in each compromise, generally once the attackers have identified the desired intellectual property, they copy the content to archives on internal systems they use as internal staging servers. This content is then uploaded to a remote site outside of the compromised organization completing the attack.”
In all, Symantec believes that nearly 48 companies were hit, including several Fortune 100 firms that are involved in research related to chemical compounds and some focused on R&D for materials used in military vehicles.