Icefog: A hit-and-run bug that targets businesses globally, on the prowl

Kaspersky Lab’s security research team has published a new research paper on the discovery of “Icefog”, a small yet energetic APT group that focuses on targets in South Korea and Japan, hitting the supply chain for Western companies. The operation started in 2011 and has increased in size and scope over the last few years.

“For the past few years, we’ve seen a number of APTs hitting pretty much all types of victims and sectors. In most cases, attackers maintain a foothold in corporate and governmental networks for years, smuggling out terabytes of sensitive information,” said Costin Raiu, Director, Global Research & Analysis Team.

“The ‘hit and run’ nature of the Icefog attacks demonstrate a new emerging trend: smaller hit-and-run gangs that go after information with surgical precision. The attack usually lasts for a few days or weeks and after obtaining what they were looking for, the attackers clean up and leave. In the future, we predict the number of small, focused ‘APT-to-hire’ groups to grow, specializing in hit-and-run operations; a kind of ‘cyber mercenary’ team for the modern world.”

Based on the profiles of identified targets, the attackers appear to have an interest in the following sectors: military, shipbuilding and maritime operations, computer and software development, research companies, telecom operators, satellite operators, mass media and television.

Research indicates the attackers were interested targeting defense industry contractors such as Lig Nex1 and Selectron Industrial Company, ship-building companies such as DSME Tech, Hanjin Heavy Industries, telecom operators such as Korea Telecom, media companies such as Fuji TV and the Japan-China Economic Association.

The attackers hijack sensitive documents and company plans, e-mail account credentials, and passwords to access various resources inside and outside the victim’s network.

During the operation, the attackers use the “Icefog” backdoor set (also known as “Fucobha”). Kaspersky Lab has identified versions of Icefog for both Microsoft Windows and Mac OS X.

While in most other APT campaigns, victims remain infected for months or even years and attackers continuously steal data, Icefog operators process victims one by one -- locating and copying only specific, targeted information. Once the desired information has been obtained, they leave.

In most cases, the Icefog operators appear to know very well what they need from the victims. They look for specific filenames, which are quickly identified, and transferred to the C&C.
 

Follow Emirates 24|7 on Google News.