Threat Intelligence Garden

Nitro, Covert Grove

2 min read

Nitro, Covert Grove

Description

(Symantec) The Nitro Attacks: Stealing Secrets from the Chemical Industry

The attackers have changed their targets over time. From late April to early May, the attackers focused on human rights related NGOs. They then moved on to the motor industry in late May. From June until mid-July no activity was detected. At this point, the current attack campaign against the chemical industry began. This particular attack has lasted much longer than previous attacks, spanning two and a half months.

A total of 29 companies in the chemical sector were confirmed to be targeted in this attack wave and another 19 in various other sectors, primarily the defense sector, were seen to be affected as well. These 48 companies are the minimum number of companies targeted and likely other companies were also targeted. In a recent two week period, 101 unique IP addresses contacted a command and control server with traffic consistent with an infected machine. These Ips represented 52 different unique Internet Service Providers or organizations in 20 countries.

Nitro may be related to APT 18, Dynamite Panda, Wekby.

Names

NameName-Giver
NitroSymantec
Covert GroveSymantec

Country

Motivation

  • Information theft and espionage

First Seen

2011

Observed Sectors

Observed Countries

Tools

Operations

  • 2014-07: New Indicators of Compromise found Historically, Nitro is known for targeted spear phishing campaigns and using Poison Ivy malware, which was not seen in these attacks. Since at least 2013, Nitro appears to have somewhat modified their malware and delivery methods to include Spindest and legitimate compromised websites, as reported by Cyber Squared’s TCIRT. https://unit42.paloaltonetworks.com/new-indicators-compromise-apt-group-nitro-uncovered/

Information

Other Information

Uuid

86c30d93-a2e8-4d04-9881-884cc59d7e19

Last Card Change

2020-04-15

Graph View

Backlinks