All together, 48 companies in 20 countries were hit in the attacks that Symantec dubbed "Nitro." The firms include 29 in the chemical sector and 19 others mostly concentrated in the defense industry. The United States had the largest number of infected machines, closely followed by Bangladesh and Britain.
To access the corporate computer networks, attackers used a now-familiar "spear-phishing" approach. The tactic involves targeting company officials with access to the information hackers are seeking. The officials are sent e-mails that appear to come from close associates and are encouraged to open an infected file attachment. At a few companies, hundreds of individuals were sent e-mails that claimed to be a necessary security update.
Once the attached file was opened, a trojan horse program called "PoisonIvy" – well known in the hacker world – installed itself, created a backdoor to the network, and began sending messages to a "command and control" server. The attackers also proceeded to identify intellectual property and copy it to other systems prior to exiting the company network.
Ultimately, Symantec traced the attacks to a US-based computer system that was "owned by a 20-something male located in the Hebei region in China." The US researchers dubbed the Chinese suspect "Covert Grove" – a literal translation of his name – and proceeded to get in touch with him. He claimed to control the US machine solely in order to connect with a popular instant messaging system in China.