Nitro hacking attacks

The Nitro hacking attacks were a targeted malware campaign in 2011 suspected to be a case of corporate espionage. At least 48 confirmed companies were infected with a Trojan called Poison Ivy that transferred intellectual property to remote servers. Much of the information known about these attacks comes from a white paper published by cybersecurity company Symantec (renamed NortonLifeLock).

Targets
Initial attacks in April and May 2011 targeted human rights organizations, though later in May the focus shifted to automotive companies. Then from July to September another series of breaches occurred with the majority of targets in the chemical and advanced materials industry and the defense sector. The attacks were international, with targeted firms in 20 countries, though the majority were in the U.S., U.K., and Bangladesh.

Methods
The targets seem to have been carefully selected and researched, with spear phishing emails usually going out to only a handful of employees at each company and claiming to be sent from specific business partners or to contain security updates. These emails came with an attachment that infected the user's computer with Poison Ivy, which then allowed attackers to send remote commands and eventually gain access to valuable data. In a strange move, the hackers actually used Symantec's report on their activities as a means to gain victims' trust. After the paper was published, new emails were sent by Nitro that pretended to be from Symantec and contained cursory information about the attack along with an attachment named "the_nitro_attackspdf.7z". This executable file would actually create a PDF of the real Symantec white paper, but would also infect the machine with the remote access Trojan.

Perpetrators
Unusually for a cybersecurity investigation, researchers were able to trace some attacks back to an individual dubbed Covert Grove who owned a U.S.-based virtual private server involved in the campaign, though he operated from Heibei Province, China. The man claimed to only use the server for logging into the QQ instant messaging system and investigators were never able to confirm his direct involvement or connection to any other organization. However, Symantec later attributed to the same Nitro group a series of attacks in 2012 using a Java zero-day vulnerability called CVE-2012-4681.