Spear Phishing Campaign Hits Dozens of Chemical, Defense Firms

← Back to Stories (view on slashdot.org)

Spear Phishing Campaign Hits Dozens of Chemical, Defense Firms

Posted by timothy on Tuesday November 1, 2011 @03:34AM from the if-you'd-just-please-open-your-loading-dock dept.

Orome1 writes "Nearly 50 (and quite possibly more) companies in the chemical, defense, and other sectors have been hit with a spear phishing campaign carrying a backdoor Trojan with the ultimate goal of exfiltrating R&D and manufacturing information, revealed Symantec in a newly released report. The attacks against these companies started in late July 2011 and lasted until the middle of September 2011, but the attackers are thought to be the same ones who targeted human rights related NGOs and companies in the motor industry in May." Here's a link to the report itself (PDF).

28 of 46 comments (clear)

Min score:

Reason:

Sort:

Farewell Dossier redux by The+Man · 2011-11-01 03:40 · Score: 1

It's time to recognise that the West is in another Cold War with China. The steps taken to keep industrial information out of Soviet hands crimped trade and imposed costly burdens on US business, but they were at least somewhat effective. Let's try to do better, but for fuck's sake let's do something! How about starting by dropping all packets from China at the border? If nothing else it ought to get their attention.
1. Re:Farewell Dossier redux by Anonymous Coward · 2011-11-01 03:46 · Score: 1
  
  Let me refresh your memory... http://youtu.be/83tnWFojtcY
  People used to listen to me!!
2. Re:Farewell Dossier redux by hedwards · 2011-11-01 03:46 · Score: 3, Insightful
  
  Because, we're not going to win this cold war if we're not providing easy access to our culture. Soft power has done far more for the US' standing in the world than our willingness to spend every last cent on pointless military endeavors.
3. Re:Farewell Dossier redux by trolman · 2011-11-01 03:51 · Score: 2
  
  Blocking the bad country IP ranges will not work. The bad guys simply buy botnets or hosting. User education is the only real fix. From a technical point of view I would love to protect the network from everything. But the reality of human interaction is that the bad guys will get in by phone, fax, email, visiting in person. Maybe if we call this a war it will give the users a bit more of a scare. After all the only effective way to teach something like this is to scare the users into compliance.
4. Re:Farewell Dossier redux by durrr · 2011-11-01 04:03 · Score: 1
  
  Because aggrevating things is the right choice. But please go ahead, I'd love to see china go all pikeman over your high horse and do an economic takedown.
  Though most likely they'll just smile and wait it out, the US is so rotten through it's collapse under it's own weight any day now.
5. Re:Farewell Dossier redux by hedwards · 2011-11-01 05:23 · Score: 1
  
  Portions of it are already available over there. The Great Firewall thing is a pretty big joke. Sure it does cut down a great deal on that, but it's hardly rocket science to circumvent, and ultimately, us dropping all those packets at our border would make it nigh impossible for them to get through. Assuming that it's even possible in the first place, which is questionable at best.
6. Re:Farewell Dossier redux by Mister+Whirly · 2011-11-01 06:36 · Score: 1
  
  "Economic takedown"? Taking down the US economy would hurt China as much or more than it would hurt the US itself. Who do you think is the chief exporter of goods into the US? Who do you think owns a good chunk of US companies? Why would China want to cut it's own throat?
  
  --
  "But this one goes to 11!"
7. Re:Farewell Dossier redux by durrr · 2011-11-02 03:23 · Score: 1
  
  Someone compared the relationship to china being the farmer and the US being the eater.
  What could happen is that the US ends up without food where china have to eat what they produce, terrible pain that would inflict yes.
User education by trolman · 2011-11-01 03:47 · Score: 2

The only way to protect a network is user education. The bad guys will visit in person, call on the phone, email and find a way onto the network. Not even closed networks can be secured. Only a well educated computer user base will work.
What is Spear Phishing ? by lemur3 · 2011-11-01 03:49 · Score: 2

It seems to me that a well edited summary of the story might give us an idea of what Spear Phishing is.. at least, why is it different than normal phishing?
Is it because it has a trojan? What? huh?
help us out a bit here
1. Re:What is Spear Phishing ? by cduffy · 2011-11-01 03:52 · Score: 5, Informative
  
  It seems to me that a well edited summary of the story might give us an idea of what Spear Phishing is.. at least, why is it different than normal phishing?
  Is it because it has a trojan? What? huh?
  Spear phishing is different because it's highly targeted.
  Happy to help.
2. Re:What is Spear Phishing ? by CapnStank · 2011-11-01 03:55 · Score: 1
  
  Or you know.... google
3. Re:What is Spear Phishing ? by demonbug · 2011-11-01 03:57 · Score: 1
  
  It seems to me that a well edited summary of the story might give us an idea of what Spear Phishing is.. at least, why is it different than normal phishing?
  Is it because it has a trojan? What? huh?
  help us out a bit here
  I wouldn't have thought the term would need explanation on Slashdot, as it is a standard industry term. A "spear phishing" attack is similar to regular phishing, but instead of targeting masses the attack targets specific, high-value individuals. Usually the attacks require a significant amount of research on the part of the attackers.
4. Re:What is Spear Phishing ? by tlhIngan · 2011-11-01 04:31 · Score: 1
  
  It seems to me that a well edited summary of the story might give us an idea of what Spear Phishing is.. at least, why is it different than normal phishing?
  It's a form of highly targeted phishing. Think back earlier this year to the RSA hack - how was it done? It was done by someone pretending to be the HR firm RSA uses and writing a pretty damn plausible e-mail that they might get in their inbox and not have second thoughts about (it was sent to their HR person about a list of potential hires).
  Basically, instead of spamming millions with "your bank account has been accessed by a third party! Click to change your password" emails and hoping a few take the bait, spear phishing is sending only a few emails to select individuals with plausible subjects, heaaders and content that they might receive during the day.
  All the usual precautions apply, but if they send you a Word document by e-mail, chances are way better if it came from the customer with something like "Requirements review with comments.doc" that someone will blindly open it. Especially if the customer just signed on and an initial requirements doc was just sent out.
  Another example would be Sales receiving an infected Word document disguised as a PO from someone claiming to be an existing customer. Heck, it might be a plausible looking PO as well so no one suspects anything.
5. Re:What is Spear Phishing ? by DriedClexler · 2011-11-01 04:33 · Score: 1
  
  Spear phishing is phishing where you exploit specific information about the target to make your messages seem more trustworthy. For example, phishing would just be,
  "Hello John_Doe@yahoo.com, it appears you have some bank activity awaiting confirmation, please click on this flaky URL ..."
  Spear phishing would be,
  "Dear Mr. John H. Doe,
  Your account at Citibank [Doe actually has an account there] shows a rejected transaction for your purchase at 6:30 pm at Walmart on Tuesday, the 5th. [Doe actually made a purchase there and then.] Please confirm its authenticity by clicking this link ..."
  Then again, the others seem to be saying that the difference is in *who* you target, rather than the inside information your message has that makes it more plausible. So ... go fig.
  
  --
  Information theory is life. The rest is just the KL divergence.
6. Re:What is Spear Phishing ? by HopefulIntern · 2011-11-01 04:59 · Score: 5, Informative
  
  Which is why the term is so apt. Fishing is the act of throwing a line out waiting for something to bite (sending unsolicited emails to hundreds and thousands of people and hoping someone will "bite"). Spear fishing requires the identification of a single fish, in the shallow water, and pinning it with a spear. Hence, the precision metaphor.
Why is it so easy to infiltrate serious targets? by satuon · 2011-11-01 03:57 · Score: 2

So all it takes is to send emails to the employees telling them to execute an *.exe file? No wonder the Chinese are able to do it, this thing requires almost no skill, only enough numbers of people churning out emails. I wonder when the Chinese will stop bothering with the malware part, and just ask the employees to upload all the sensitive data.
Wow, talk about vague by zill · 2011-11-01 03:59 · Score: 1

The attacks were traced back to a computer system that was a virtual private server (VPS) located in the United States. However, the system was owned by a 20-something male located in the Hebei region in China.
I don't usually overgeneralize, but "20-something male" pretty much describes 99% of the blackhats out there.
Re:The attack is on going by satuon · 2011-11-01 04:06 · Score: 1

Attacks like this make me wonder why should users even be able to execute *.exe files. I've started to see the point of non-executable partitions in Linux.
Re:The attack is on going by 93+Escort+Wagon · 2011-11-01 04:15 · Score: 1

All email is Text you AC moron.
Technically correct, but misses the point and intent entirely. In other words, a typical Slashdot post. Well done!

--
#DeleteChrome
Re:The attack is on going by mjr167 · 2011-11-01 04:17 · Score: 1

Because users occasionally need to actually, you know, use the computer to do their job?
Re:The attack is on going by Culture20 · 2011-11-01 04:33 · Score: 1

"Attacks like this make me wonder why should users even be able to execute *.exe files [in user writable space like \users\ or \temp\]. I've started to see the point of non-executable partitions in Linux."
Fixed for GP. It's pretty easy to set /home/ noexec on a linux machine and allow users to only run programs installed by the sysadmin. Still not perfect, but it would prevent a huge portion of malware out there now.
Re:Why is it so easy to infiltrate serious targets by Registered+Coward+v2 · 2011-11-01 04:37 · Score: 2

So all it takes is to send emails to the employees telling them to execute an *.exe file? No wonder the Chinese are able to do it, this thing requires almost no skill, only enough numbers of people churning out emails. I wonder when the Chinese will stop bothering with the malware part, and just ask the employees to upload all the sensitive data.
Actually, you're comment is not that far off the mark. I once was helping a company bring a new product to market, and as part of that would call the potential competitors and ask a whole lot of questions about their products, plans etc. I told them upfront exactly what we were doing - and they still gladly answered my questions. Once I reached the engineers designing the products they would talk my ears off about their product; it also helped that as an engineer I also could talk intelligently with them on a technical basis.
But yes, I would not be surprised if an "Please send me everything about..." got a positive reply.

--
I'm a consultant - I convert gibberish into cash-flow.
Re:The attack is on going by satuon · 2011-11-01 04:40 · Score: 1

I meant they shouldn't be able to execute files that are not put there by the admin. That's what non-executable partitions are in Linux. Your root partition is executable, but your home partition is not. Your browser, word processor, etc. are in the executable partition so you can execute them. But if someone sent you an executable file you have to put it in your own home partition, and you can't execute it from there. And you can't move it to the root partition, because you don't have write permissions.
Those companies chose to run Windows. by couchslug · 2011-11-01 06:41 · Score: 2

That choice means they don't care about security. Ridicule is perfectly appropriate in this case.

--
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
1. Re:Those companies chose to run Windows. by Anonymous Coward · 2011-11-01 08:06 · Score: 1
  
  Which part of 'Trojan' do you not understand?
  Given the venue, "How to put one on," seems like the appropriate answer to that question.
Good PR Move by Gyorg_Lavode · 2011-11-01 08:59 · Score: 1

Is it just me, or did Symantec take a normal spear phishing attack, by the usual suspects, with the usual tools, and turn it into an advertisement? They gave it a name, wrote a paper on it, made sure it was clear CHEMICALS were involved, and then sent it to the news outlets. I guess this is only to be expected given how much publicity they got from their stuxnet and duqu analysis. Oh well. *sigh*

--
I do security
Re:slashdot is though to be stagnated by couchslug · 2011-11-01 09:57 · Score: 1

Stagdot?

--
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."