Nitro, Duqu, Poison Ivy, Video Proof, and the Advanced Persistent Threat as Industrial Espionage

In a recent post, Duqu Enables Stuxnet Level Complexity Against Commercial Targets, I made the case about the advanced persistent threat in the context of commercial targets and industrial espionage, specifically in the wake of the Duqu attacks.  I also went on record as saying that Triumfant will detect the Duqu attack, but, in fairness, I offered no real proof of that claim.

Then along came news about Nitro.

On October 31, Symantec release a whitepaper about a new attack called Nitro that initially focused on human rights organizations and then moved on to the auto industry and then to the chemical industry.   According to a story about Nitro on eWeek.com: “At least 48 companies are believed to have been targeted across various industry verticals, including 29 companies involved in research and development of chemical compounds and companies that develop materials for military vehicles. The other 19 were in other sectors, including defense.”

Symantec reports that the purpose of Nitro was to collect information, specifically intellectual property that could be used for competitive advantage.  That would certainly seem to fit under the definition of industrial espionage.   The attacks collected user IDs and passwords to sensitive systems so they could be accessed for later attacks and exfiltrations.  Which is exactly the case I made about the significance of the Duqu discovery.

The Symantec report also stated that Poison Ivy, a product available off the shelf to create Trojans and other malware, was used to created Nitro.  Which leads me back to the claim that Triumfant could see Duqu.  I made the assertion that Triumfant would see Duqu based on a study of the analysis provided about the attack.  I am quite confident, and other technical people in our organization are quite confident, that Triumfant would detect Duqu, but I had no proof as I do not have the attack to test.

In the case of Nitro, I know for certain that Triumfant has successfully detected malware created by Poison Ivy.  Third party testers have used Poison Ivy to validate the efficacy of Triumfant and we passed when other tools failed.  We use Poison Ivy to test internally.  And I can offer proof – a video demonstration where we infect a machine with Poison Ivy we created and show Triumfant detecting and repairing the attack. You can watch the video here.

Obviously I take no satisfaction in hearing about a successful attack like Nitro.  I do think that Nitro reinforces my position that the advanced persistent threat can no longer be treated as a problem for the NSA, CIA, and the DoD.  Commercial organizations ate at risk and must take stapes to put solutions in place that will provide rapid detection and response to these threats.

I will be shamelessly opportunistic to leverage the fact that Nitro used Poison Ivy to add credibility to the ability of Triumfant to see the attacks that evade other defenses.  This time I have video proof.