fresh espionage campaign named “Icefog” has been uncovered by Kaspersky Labs, which hit targets in South Korea and Japan and had hosted command and control servers in Asia and the United States.
Described as a small yet energetic advanced persistent threat (APT) group, researchers at the company believed that it began operations in 2011 and based on the list of IP addresses used to monitor and control the infrastructure, Kaspersky Lab’s experts believe that some of those behind this operation are based in at least three countries: China, South Korea and Japan.
Based on the profiles of known targets, the attackers appear to have an interest in the following sectors: military, shipbuilding and maritime operations, computers and software development, research companies, telecom operators, satellite operators, mass media and television. Rather than infiltrate a network, monitor and send information back to the host, the attackers hijack sensitive documents and company plans, email account credentials and passwords to access various resources inside and outside the victim’s network and do it one by one, locating specific information.
Once the desired information has been obtained, they leave and in most cases, the Icefog operators appear to know exactly what they need from the victims. They look for specific filenames, which are quickly identified, and transferred to the C&C.
The attackers use a backdoor set known as “Icefog”, also known as “Fucobha”. The initial infection is via spear phishing where attackers embed exploits for several known vulnerabilities into Microsoft Word and Excel documents. Once opened, a backdoor is dropped onto the system and a decoy document is then showed to the victim. Kaspersky admitted that some of the vulnerabilities used, especially in Java, were patched some time ago.
What makes this different, according to the research, is that this focuses on targets in South Korea and Japan. Kaspersky Labs said that it first became aware of Icefog in June 2013 when it obtained an attack sample used against Fuji TV; further analysis found that this was a new version of the malware that attacked the Japanese Parliament in 2011.
So far Kaspersky Labs has identified that there are more than 3,600 unique infected IPs and several hundred victims, although it has sinkholed 13 of the 70+ domains used by the attackers. Kaspersky Labs researcher Stefan Tanase saidthat there are still multiple active command and control servers, with live victims connecting to them.
Tanase called the attackers “cyber-mercenaries [who] acted with great precision, targeting specific documents or credentials, then leaving the network within weeks”. Costin Raiu, director of the global research and analysis team at Kaspersky Lab, said: “The ‘hit and run’ nature of the Icefog attacks demonstrate a new emerging trend: smaller hit-and-run gangs that are going after information with surgical precision.
“The attack usually lasts for a few days or weeks and after obtaining what they were looking for, the attackers clean up and leave. In the future, we predict the number of small, focused ‘APT-to-hire’ groups to grow, specialising in hit-and-run operations; sort of ‘cyber mercenaries’ of the modern world.”
