PoisonIvy RAT used to hack chemical firms by man in China

By Chris Burns/Oct. 31, 2011 12:45 pm EST

The nation of China has been getting a bad rap in these last couple of weeks due to more than one allegation of the country's government hacking sensitive equipment internationally – today it appears that a single man inside the country might extend that press with an unrelated cyber attach of chemical firms in the USA, Bangladesh, and the UK. As China has emphatically denied any hacking on the part of the government in any way at all for the last incident, so too must it made clear here before misinformation is spread: the suspect is a man living in China whose computer system apparently used for the attacks was traced to the United States.

The attack at hand was done with a malicious bit of software by the name of PoisonIvy (a Remote Access Trojan (RAT)), that appears to be clear according to a report sent out by security firm Symantec Corp. While the companies hit were not listed, its clear that they include several Fortune 100 corporations that both develop compounds as well as advanced materials in addition to groups that manufacture infrastructure for these businesses. It was found that PoisonIvy was planted in 29 chemical company's computers, some of which have "developed advanced materials used in military vehicles." Symantec noted the following:

"The purpose of the attacks appears to be industrial espionage, collecting intellectual property for competitive advantage." – Symantec

Thusly probably don't get too frightened at the prospect (unless you're a business owner inside the circle here.) The whole campaign ran from this summer in July through the middle of September and, again, was traced to a computer system in the USA that was owned by a man living in Hebei provence up in northern China. This man's code-name according to Symantec is "Covert Grove" based on what they say is a literal translation of his name to English.

"We are unable to determine if Covert Grove is the sole attacker or if he has a direct or only indirect role. Nor are we able to definitively determine if he is hacking these targets on behalf of another party or multiple parties." – Symantec

In addition to this attack, Covert Grove's "command and control" servers were used for at least a couple more attacks this year. One attack was on a human-rights group inside late April and early May, and another was on "the motor industry" in late May. Specifics beyond that were not given.

[via Rueters]