Report: Chinese hackers launched summer offensive on US chemical industry

Chinese hackers sought to steal designs, formulas, and processes from chemical companies in the US and elsewhere, according to a report by cybersecurity firm Symantec. It's the latest example of Chinese hackers targeting a sector of the US economy.

November 1, 2011

Dozens of chemical companies and other industrial firms worldwide were hit this summer by highly focused cyberattacks controlled by Chinese hackers, according to a new report.

The cyberattacks, which began in July and lasted through mid-September, appeared to be a concerted industrial spying effort targeting proprietary designs, formulas, and manufacturing processes, says the report by Symantec, a computer security firm in Cupertino, Calif. Affected companies included a number of Fortune 100 companies involved in research and development of advanced materials, often for military or industrial purposes.

The campaign is only the most recent in a series of targeted cyberattacks that appear to be linked to government-backed hackers. It fits a pattern in which an informal "cyber militia" takes its marching orders from somewhere within the Chinese hierarchy and proceeds to conduct attacks that are officially deniable, but ultimately a huge drain on the economies of nations whose companies are targeted, say cybersecurity experts.

In this case, the target appeared to be the chemical industry. In the past, it has been the oil industry. And while it is by no means certain that the Chinese government was behind this summer's attacks, the question looms large.

"The question is: Who is 'they?' " writes James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS), a Washington think tank, in an e-mail interview. "The Chinese government encourages economic espionage [for illicit acquisition of technology], but that does not mean it directs all economic espionage."

All together, 48 companies in 20 countries were hit in the attacks that Symantec dubbed "Nitro." The firms include 29 in the chemical sector and 19 others mostly concentrated in the defense industry. The United States had the largest number of infected machines, closely followed by Bangladesh and Britain.

To access the corporate computer networks, attackers used a now-familiar "spear-phishing" approach. The tactic involves targeting company officials with access to the information hackers are seeking. The officials are sent e-mails that appear to come from close associates and are encouraged to open an infected file attachment. At a few companies, hundreds of individuals were sent e-mails that claimed to be a necessary security update.

Once the attached file was opened, a trojan horse program called "PoisonIvy" – well known in the hacker world – installed itself, created a backdoor to the network, and began sending messages to a "command and control" server. The attackers also proceeded to identify intellectual property and copy it to other systems prior to exiting the company network.

Ultimately, Symantec traced the attacks to a US-based computer system that was "owned by a 20-something male located in the Hebei region in China." The US researchers dubbed the Chinese suspect "Covert Grove" – a literal translation of his name – and proceeded to get in touch with him. He claimed to control the US machine solely in order to connect with a popular instant messaging system in China.

But Covert Grove, who appears to manage multiple computer networks at a vocational school, also responded to requests to connect with a "hacker for hire." So was Covert Grove behind the attacks – or just a small fish?

"We are unable to determine if Covert Grove is the sole attacker or if he has a direct or only indirect role," wrote Eric Chien and Gavin O'Gorman, the authors of the Symantec report. "Nor are we able to definitively determine if he is hacking these targets on behalf of another party or multiple parties."

Symantec also detected "several other hacker groups that had begun targeting some of the same chemical companies in this time period." That group's attacks were "very tailored, targeted e-mails," but far smaller in scope than the Nitro PoisonIvy attacks.

Dow Chemical Company told the online magazine PC World that it had detected "unusual e-mails being delivered to the company" last summer and worked with law enforcement to deal with it. "We have no reason to believe our operations were compromised, including safety, security, intellectual property, or our ability to service our customers," a Dow spokesman said.

To cybersecurity watchers, the Symantec study is suggestive, worrisome, but not necessarily surprising.

Security research firm McAfee in February reported that Chinese hackers had broken into the computer networks of five international oil and gas companies with the goal of stealing bid data and other key information. That report substantially corroborated a January 2010 Monitor report that found Chinese links to cyberespionage attacks against at least three global oil giants – Marathon Oil, ExxonMobil and ConocoPhillips.

Patrick Coyle, a former chemist for a major chemical company who now writes a blog about chemical industry cybersecurity, called the Symantec's findings "old news." But he noted that the implications could be dire if hackers got any industrial-control-system information that could help them sabotage chemical plants.

"What is important is that someone took the time and effort to execute a series of attacks on a wide array of chemical facilities across the globe," he wrote. "The attacks used old tools ... [but] the fact that they were successful points out how poorly the chemical industry is protecting their computer systems and intellectual property."

In general, Chinese attacks are carried out "by proxies who combine self-interest and national goals," writers Mr. Lewis of CSIS. That means there is "a good chance that the people who steal technology are not the same people who plan attacks. If company networks are vulnerable, that means a spy can get in now and a soldier can get in later, but it may not mean that the control systems are equally vulnerable."

This is why better cybersecurity is so needed, he notes. If you start to fix one problem, like espionage, you also help reduce risk in other areas, like a cybermilitary attack.