Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spear Phishing Campaign Hits Dozens of Chemical, Defense Firms

Posted by timothy on from the if-you'd-just-please-open-your-loading-dock dept.

Orome1 writes "Nearly 50 (and quite possibly more) companies in the chemical, defense, and other sectors have been hit with a spear phishing campaign carrying a backdoor Trojan with the ultimate goal of exfiltrating R&D and manufacturing information, revealed Symantec in a newly released report. The attacks against these companies started in late July 2011 and lasted until the middle of September 2011, but the attackers are thought to be the same ones who targeted human rights related NGOs and companies in the motor industry in May." Here's a link to the report itself (PDF).

46 comments

  1. Farewell Dossier redux by The+Man · · Score: 1

    It's time to recognise that the West is in another Cold War with China. The steps taken to keep industrial information out of Soviet hands crimped trade and imposed costly burdens on US business, but they were at least somewhat effective. Let's try to do better, but for fuck's sake let's do something! How about starting by dropping all packets from China at the border? If nothing else it ought to get their attention.

    1. Re:Farewell Dossier redux by Anonymous Coward · · Score: 1

      Let me refresh your memory... http://youtu.be/83tnWFojtcY

      People used to listen to me!!

    2. Re:Farewell Dossier redux by hedwards · · Score: 3, Insightful

      Because, we're not going to win this cold war if we're not providing easy access to our culture. Soft power has done far more for the US' standing in the world than our willingness to spend every last cent on pointless military endeavors.

    3. Re:Farewell Dossier redux by trolman · · Score: 2

      Blocking the bad country IP ranges will not work. The bad guys simply buy botnets or hosting. User education is the only real fix. From a technical point of view I would love to protect the network from everything. But the reality of human interaction is that the bad guys will get in by phone, fax, email, visiting in person. Maybe if we call this a war it will give the users a bit more of a scare. After all the only effective way to teach something like this is to scare the users into compliance.

    4. Re:Farewell Dossier redux by durrr · · Score: 1

      Because aggrevating things is the right choice. But please go ahead, I'd love to see china go all pikeman over your high horse and do an economic takedown.
      Though most likely they'll just smile and wait it out, the US is so rotten through it's collapse under it's own weight any day now.

    5. Re:Farewell Dossier redux by Anonymous Coward · · Score: 0

      That might mean something if our "culture" was available in Chinese. Not to mention the whole Great Firewall thing.

    6. Re:Farewell Dossier redux by Anonymous Coward · · Score: 0

      How about starting by not making assumptions based on public opinion and FUD.

      No evidence has been presented that the Chinese government or even a Chinese person was responsible
      and to just blame them based on unsubstantiated claims is pure racism & US propaganda.

    7. Re:Farewell Dossier redux by hedwards · · Score: 1

      Portions of it are already available over there. The Great Firewall thing is a pretty big joke. Sure it does cut down a great deal on that, but it's hardly rocket science to circumvent, and ultimately, us dropping all those packets at our border would make it nigh impossible for them to get through. Assuming that it's even possible in the first place, which is questionable at best.

    8. Re:Farewell Dossier redux by Anonymous Coward · · Score: 0

      I think this is fair trade.
      We stole Iraqi oil, the chicoms steal our trade secrets. New world order.

    9. Re:Farewell Dossier redux by Mister+Whirly · · Score: 1

      "Economic takedown"? Taking down the US economy would hurt China as much or more than it would hurt the US itself. Who do you think is the chief exporter of goods into the US? Who do you think owns a good chunk of US companies? Why would China want to cut it's own throat?

      --
      "But this one goes to 11!"
    10. Re:Farewell Dossier redux by Anonymous Coward · · Score: 0

      I guess all those Stuxnet stories were pure racism & Iranian propaganda too?

    11. Re:Farewell Dossier redux by Anonymous Coward · · Score: 0

      Instead of complaining about users, as they will never learn, it would make more sense to limit what users can do. Put blinders on them, as it were. Aside from administration purposes, do the usual users require permission to install or run applications that are not white-listed? You don't need to have the user know of what can be done, just show them what will be done.

    12. Re:Farewell Dossier redux by Anonymous Coward · · Score: 0

      I would say China owning a good chunk of US companies is the "economic takedown" that's already happening. It's not so much as having the economy collapse as making it dependent on China and letting China have a large influence on American businesses (and subsequently the rest of America)

      There are a few things US still have over China though:

      1) US shoved a bunch of USD onto China's hands, which would be worthless if the US becomes weak or unstable (and our government hating libertarian friends on /. will tell you USD is *already* worthless, but I digress)

      2) The general American people have a hatred for anything left leaning, let alone China. The notion of America "losing" in anyway to TEH COMMIES is completely unacceptable and they'll do almost anything to prevent it

      3) "China quality" is still a reality. Trains crash. Toilets explode. Muggers who would gladly punch women in the fact repeatedly just to steal a purse. For all the prosperity that the best of China has to offer, China still has a long way to go to fix all the worst that it has to offer.

      4) Somewhat tied to 3), American armed forces is still larger and more advanced. Though the prospect of open warfare may seem unlikely and would probably hurt the US more than it helps if used, it's always a factor.

    13. Re:Farewell Dossier redux by durrr · · Score: 1

      Someone compared the relationship to china being the farmer and the US being the eater.
      What could happen is that the US ends up without food where china have to eat what they produce, terrible pain that would inflict yes.

  2. User education by trolman · · Score: 2

    The only way to protect a network is user education. The bad guys will visit in person, call on the phone, email and find a way onto the network. Not even closed networks can be secured. Only a well educated computer user base will work.

    1. Re:User education by Anonymous Coward · · Score: 0

      The only way to protect a network is user education. The bad guys will visit in person, call on the phone, email and find a way onto the network. Not even closed networks can be secured. Only a well educated computer user base will work.

      My users tend to get angry when I try to debug them.

  3. What is Spear Phishing ? by lemur3 · · Score: 2

    It seems to me that a well edited summary of the story might give us an idea of what Spear Phishing is.. at least, why is it different than normal phishing?

    Is it because it has a trojan? What? huh?

    help us out a bit here

    1. Re:What is Spear Phishing ? by cduffy · · Score: 5, Informative

      It seems to me that a well edited summary of the story might give us an idea of what Spear Phishing is.. at least, why is it different than normal phishing?

      Is it because it has a trojan? What? huh?

      Spear phishing is different because it's highly targeted.

      Happy to help.

    2. Re:What is Spear Phishing ? by CapnStank · · Score: 1

      Or you know.... google

    3. Re:What is Spear Phishing ? by demonbug · · Score: 1

      It seems to me that a well edited summary of the story might give us an idea of what Spear Phishing is.. at least, why is it different than normal phishing?

      Is it because it has a trojan? What? huh?

      help us out a bit here

      I wouldn't have thought the term would need explanation on Slashdot, as it is a standard industry term. A "spear phishing" attack is similar to regular phishing, but instead of targeting masses the attack targets specific, high-value individuals. Usually the attacks require a significant amount of research on the part of the attackers.

    4. Re:What is Spear Phishing ? by Anonymous Coward · · Score: 0

      apparently not everyone on slashdot is in the same industry..

    5. Re:What is Spear Phishing ? by tlhIngan · · Score: 1

      It seems to me that a well edited summary of the story might give us an idea of what Spear Phishing is.. at least, why is it different than normal phishing?

      It's a form of highly targeted phishing. Think back earlier this year to the RSA hack - how was it done? It was done by someone pretending to be the HR firm RSA uses and writing a pretty damn plausible e-mail that they might get in their inbox and not have second thoughts about (it was sent to their HR person about a list of potential hires).

      Basically, instead of spamming millions with "your bank account has been accessed by a third party! Click to change your password" emails and hoping a few take the bait, spear phishing is sending only a few emails to select individuals with plausible subjects, heaaders and content that they might receive during the day.

      All the usual precautions apply, but if they send you a Word document by e-mail, chances are way better if it came from the customer with something like "Requirements review with comments.doc" that someone will blindly open it. Especially if the customer just signed on and an initial requirements doc was just sent out.

      Another example would be Sales receiving an infected Word document disguised as a PO from someone claiming to be an existing customer. Heck, it might be a plausible looking PO as well so no one suspects anything.

    6. Re:What is Spear Phishing ? by DriedClexler · · Score: 1

      Spear phishing is phishing where you exploit specific information about the target to make your messages seem more trustworthy. For example, phishing would just be,

      "Hello John_Doe@yahoo.com, it appears you have some bank activity awaiting confirmation, please click on this flaky URL ..."

      Spear phishing would be,

      "Dear Mr. John H. Doe,

      Your account at Citibank [Doe actually has an account there] shows a rejected transaction for your purchase at 6:30 pm at Walmart on Tuesday, the 5th. [Doe actually made a purchase there and then.] Please confirm its authenticity by clicking this link ..."

      Then again, the others seem to be saying that the difference is in *who* you target, rather than the inside information your message has that makes it more plausible. So ... go fig.

      --
      Information theory is life. The rest is just the KL divergence.
    7. Re:What is Spear Phishing ? by HopefulIntern · · Score: 5, Informative

      Which is why the term is so apt. Fishing is the act of throwing a line out waiting for something to bite (sending unsolicited emails to hundreds and thousands of people and hoping someone will "bite"). Spear fishing requires the identification of a single fish, in the shallow water, and pinning it with a spear. Hence, the precision metaphor.

  4. Why is it so easy to infiltrate serious targets? by satuon · · Score: 2

    So all it takes is to send emails to the employees telling them to execute an *.exe file? No wonder the Chinese are able to do it, this thing requires almost no skill, only enough numbers of people churning out emails. I wonder when the Chinese will stop bothering with the malware part, and just ask the employees to upload all the sensitive data.

  5. Hooray for security consultants by Anonymous Coward · · Score: 0

    Spear phishing? I can imagine a bunch of consultant clowns trying to come up with fancy analogies to impress PHB du jour.

    What will be the next big bullshit-bingo term? I would have jokingly suggested "whaling" but apparently someone already got to that.

    I want to see "flounder tramping", "trout tickling" and "noodling"!

  6. Wow, talk about vague by zill · · Score: 1

    The attacks were traced back to a computer system that was a virtual private server (VPS) located in the United States. However, the system was owned by a 20-something male located in the Hebei region in China.

    I don't usually overgeneralize, but "20-something male" pretty much describes 99% of the blackhats out there.

  7. The attack is on going by Anonymous Coward · · Score: 0

    The attack hasn't stopped, if anything its been increasing. That's what I've seen at our company... This isn't a "user education" problem - the attackers speak excellent English and do a lot of tricks to copy any emails that a user might see, ie bank mails, forum mails, or even internal email. Most of the mails even make me - a software engineer - double check. Text-only w/o attachments are the only thing that is safe. PERIOD.

    1. Re:The attack is on going by satuon · · Score: 1

      Attacks like this make me wonder why should users even be able to execute *.exe files. I've started to see the point of non-executable partitions in Linux.

    2. Re:The attack is on going by Anonymous Coward · · Score: 0

      All email is Text you AC moron.

    3. Re:The attack is on going by 93+Escort+Wagon · · Score: 1

      All email is Text you AC moron.

      Technically correct, but misses the point and intent entirely. In other words, a typical Slashdot post. Well done!

      --
      #DeleteChrome
    4. Re:The attack is on going by mjr167 · · Score: 1

      Because users occasionally need to actually, you know, use the computer to do their job?

    5. Re:The attack is on going by Culture20 · · Score: 1

      "Attacks like this make me wonder why should users even be able to execute *.exe files [in user writable space like \users\ or \temp\]. I've started to see the point of non-executable partitions in Linux."
      Fixed for GP. It's pretty easy to set /home/ noexec on a linux machine and allow users to only run programs installed by the sysadmin. Still not perfect, but it would prevent a huge portion of malware out there now.

    6. Re:The attack is on going by satuon · · Score: 1

      I meant they shouldn't be able to execute files that are not put there by the admin. That's what non-executable partitions are in Linux. Your root partition is executable, but your home partition is not. Your browser, word processor, etc. are in the executable partition so you can execute them. But if someone sent you an executable file you have to put it in your own home partition, and you can't execute it from there. And you can't move it to the root partition, because you don't have write permissions.

  8. MOD PARENT FUNNY! by Anonymous Coward · · Score: 0

    user education

    BVAHAHAHAHA

  9. Re:Why is it so easy to infiltrate serious targets by Registered+Coward+v2 · · Score: 2

    So all it takes is to send emails to the employees telling them to execute an *.exe file? No wonder the Chinese are able to do it, this thing requires almost no skill, only enough numbers of people churning out emails. I wonder when the Chinese will stop bothering with the malware part, and just ask the employees to upload all the sensitive data.

    Actually, you're comment is not that far off the mark. I once was helping a company bring a new product to market, and as part of that would call the potential competitors and ask a whole lot of questions about their products, plans etc. I told them upfront exactly what we were doing - and they still gladly answered my questions. Once I reached the engineers designing the products they would talk my ears off about their product; it also helped that as an engineer I also could talk intelligently with them on a technical basis.

    But yes, I would not be surprised if an "Please send me everything about..." got a positive reply.

    --
    I'm a consultant - I convert gibberish into cash-flow.
  10. Those companies chose to run Windows. by couchslug · · Score: 2

    That choice means they don't care about security. Ridicule is perfectly appropriate in this case.

    --
    "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
    1. Re:Those companies chose to run Windows. by Anonymous Coward · · Score: 0

      That choice means they don't care about security. Ridicule is perfectly appropriate in this case.

      Which part of 'Trojan' do you not understand?

    2. Re:Those companies chose to run Windows. by Anonymous Coward · · Score: 1

      Which part of 'Trojan' do you not understand?

      Given the venue, "How to put one on," seems like the appropriate answer to that question.

  11. Good PR Move by Gyorg_Lavode · · Score: 1

    Is it just me, or did Symantec take a normal spear phishing attack, by the usual suspects, with the usual tools, and turn it into an advertisement? They gave it a name, wrote a paper on it, made sure it was clear CHEMICALS were involved, and then sent it to the news outlets. I guess this is only to be expected given how much publicity they got from their stuxnet and duqu analysis. Oh well. *sigh*

    --
    I do security
  12. Re:slashdot is though to be stagnated by couchslug · · Score: 1

    Stagdot?

    --
    "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
  13. Just like the CA's breached recently? by Anonymous Coward · · Score: 0

    That ran Linux? 3/4 of them were that, see here:

    http://uptime.netcraft.com/up/graph?site=StartCom.com

    http://uptime.netcraft.com/up/graph?site=GlobalSign.com

    http://uptime.netcraft.com/up/graph?site=Comodo.com

    Each was compromised, per this article's proof thereof -> http://itproafrica.com/technology/security/cas-hacked/

    (The only one that doesn't was diginotar.nl, & they either didn't update properly, and ought to use Windows Server 2008 + IIS7 (vs. Windows Server 2003 + IIS6)).

    However, couchslug, since you in the business of "ribbing on Windows", well, then it's my "civic duty" to show even MORE CURRENT INFORMATION about Linux being "so secure" (not) as you seem to insinuate:

    ---

    KERNEL.ORG COMPROMISED:

    http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised

    ---

    Linux.com pwned in fresh round of cyber break-ins:

    http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/

    ---

    Breaching Fort Apache.org - What went wrong?

    http://www.theregister.co.uk/2009/09/03/apache_website_breach_postmortem/

    ---

    Mysql.com Hacked, Made To Serve Malware:

    http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware

    ---

    *That's ALL pretty current information... very recent too!

    APK

    P.S.=> And, lastly of course? There's ANDROID (a Linux variant) so please, tell us - how's THAT doing on the security front?? Not very well...

    This is sort of funny on that note in fact: I tried to post all of the known security issues I have catalogued here for it, & SLASHDOT's FORUM ENGINE CAN'T EVEN HANDLE THE LOAD (too many is why)...

    Fact is, Android shows anyone that once Linux got a decent share of market on a platform, it too, can be found to be insecure & was benefitting on PC's via "security-by-obscurity" (lack of widespread usage vs. competitors) & since nobody was using it? Why bother attack it (mindset of hacker/cracker types is this)

    There in ANDROID also? Bugs in the kernel too, not just bugs in the JAVA/Dalvik front end have been found on that note also.

    BOTTOM-LINE, to Couchslug (or any Pro-*NIX fan/Penguin etc.):

    Guys, listen - they ALL need work on the security front, every OS there is!

    Even though Windows Server 2008 shows less unpatched security vulnerabilities http://secunia.com/advisories/product/18255/?task=advisories than the Linux CURRENT KERNEL ALONE http://secunia.com/advisories/product/2719/?task=advisories

    (Mind you, it would be more unpatched security bugs present on a full linux distro most likely due to app bugs that come in said distro beyond the kernel, unless vendors fixed them OR omitted putting those buggy programs into said distro)

    4x++ less unpatched security vulnerabilities in Windows Server 2008 vs. Linux current mainstream kernel only, in fact - see for yourself!

    ... apk

  14. Toss on another CA breached running Linux by Anonymous Coward · · Score: 0

    4 WERE BREACHED RECENTLY & THEY RUN LINUX:

    http://uptime.netcraft.com/up/graph?site=StartCom.com

    http://uptime.netcraft.com/up/graph?site=GlobalSign.com

    http://uptime.netcraft.com/up/graph?site=Comodo.com

    http://uptime.netcraft.com/up/graph?site=DigiCert.com

    * ALL THOSE YEARS OF HEARING "Linux = Secure, Windows != Secure" here on slashdot is turning up pure FUD bullshit, & ANDROID (yes, it's a Linux using a Linux core/kernel) only proves me correct even moreso...

    ("Read 'em & WEEP" above, Penguins/Pro-*NIX people... facts, are facts...)

    APK

    P.S.=> Anyone wonder WHY Linux is "dead last" amongst the "big 3" OS out there? I don't... & the ONLY REASON it gets used @ all over Windows is that it is NO COST to use (poorer smaller mom & pops use it mostly, & businesses are in business to make money, keep overhead costs low & profit high etc.) even IF it means taking risks, even DUMB ones like security risks (I wouldn't because of security, that means liabilities is why & that means possible lawsuits with NO ONE TO GO AFTER if you use a freebie afaik)... apk