Malware-infected scanners sold by a Chinese manufacturer led to the theft of sensitive financial and operational data from at least a half-dozen U.S. and European logistics and shipping companies.
The malware was also found in software available for download on the manufacturer's Website, security vendor TrapX reported Thursday. The malicious app was the first stage of a three-stage attack dubbed Zombie Zero that compromised business software and sent data back to facilities linked to the Chinese military.
Confidentiality agreements prevented the vendor from identifying the victims. TrapX also declined to name the manufacturer to avoid a possible lawsuit.
"We're only a startup and we don't have a war chest that could handle any type of legal situation," Carl Wright, general manager of North America for TrapX, said.
The manufacturer was notified, but denied any wrongdoing, Wright said.
The U.S. Department of Homeland Security declined comment, but experts warned that the incident demonstrates that companies can no longer afford to buy equipment without vetting the manufacturer.
The scanners were used to capture the origin, destination, contents and other data from goods moving between ships, trucks and planes.
The scanned data was then transmitted wirelessly to corporate enterprise resource planning (ERP) systems, which manages financial data, tracks inventory, manages shipping and performs a host of other businesses processes.
Once the scanner was connected to the network, the malware would first find a way through the firewall and then look for, and compromise, servers with the word "finance" in their host name. This was done until the malware infected the ERP server.
Stage two of the attack involved the download of stand-by malware in the scanner that established a connection between the ERP server and a Chinese command-and-control botnet traced to the Lanxiang Vocational School located in Shandong Province, China.
The school, located blocks away from the manufacturer, trains computer scientists for the Chinese military. In 2010, it was linked to cyberattacks, dubbed Operation Aurora, against dozens of organizations, including Google, Yahoo, Northrop Grumman, Morgan Stanley and Dow Chemical.
Stage three of the attack involved installing additional malware from the botnet that established a more sophisticated connection with a second botnet that ended at an undetermined location in Beijing.
The data siphoned from the systems provided the attackers with "complete situational awareness and visibility into the logistic/shipping company's worldwide operations," the TrapX report said.
TrapX confirmed that at least six companies had malware planted in their ERP systems.
"In every single case the malware compromised the ERP system," Wright said. "This was a very, very targeted attack."
Since then, TrapX has found variants of the Zombie Zero malware in two manufacturers' industrial control systems, Wright said. No damage was done and he declined to discuss a possible motive or provide any other details.
Sign up for Computerworld eNewsletters.