The companies that faced these cyber attacks included Fortune 100 corporations developing compounds and advanced materials, and the businesses that manufactured infrastructure for these corporations. The report did not identify the companies being attacked but stated that they were mainly based in the United States and the United Kingdom.
The Symantec cyber campaign, which ran from late July through mid-September also identified a computer in the United States, owned by a Chinese man to be behind these attacks. Researchers gave the man the pseudonym “Covert Grove” based on a literal translation of his name.
“We are unable to determine if Covert Grove is the sole attacker or if he has a direct or only indirect role. Nor are we able to definitively determine if he is hacking these targets on behalf of another party or multiple parties,” Symantec stated.
According to Symantec, the cyber attacks infected the computers with malicious software known as “PoisonIvy,” which stole information such as design documents, formulas and details on manufacturing processes. The purpose of the attacks appears to be industrial espionage, collecting intellectual property for competitive advantage.
The attackers sent emails with tainted attachments to between 100 and 500 employees at a companies being attacked, claiming to be from business partners or to contain bogus security updates. When a recipient opened the attachment, it installed PoisonIvy, a Remote Access Trojan (RAT) that can take control of a machine. The hackers then identified desired intellectual property, copied it and uploaded it to a remote server.