Cybersecurity firm Kaspersky Lab said Thursday that it’s discovered a group of “cyber-mercenaries” called “Icefog”. Target: government and military institutions.
Most of the victims have been in South Korea and Japan. But the Icefog campaign is coming to an American company near you, Kaspersky Lab security analysts said during the 4th Annual Billington Cybersecurity Summit in Washington DC today.
Icefog is an advanced persistent threat, or APT in cyber security parlance. Only, they’re different than the usual APT. These skilled high tech adversaries tend to gun for high-profile victims and stealthily infiltrate computer systems to snoop or steal valuable data over a long period of time. Such teams sometimes count tens or even hundreds of people mining terabytes or even petabytes of data.
There has been an increasing focus on attribution and pinpointing the sources of those slow burning ATP attacks, but not much is known about a new emerging trend: the smaller hit-and-run operations that are going after the supply chain and compromising targets with surgical, lightning fast precision.
Such is the world of Icefog.
“For the past few years, we’ve seen a number of APTs hitting pretty much all types of victims and sectors. In most cases, attackers maintain a foothold in corporate and governmental networks for years, smuggling out sensitive information,” said Costin Raiu, Director of Kaspersky’s Global Research & Analysis Team. “The attack usually lasts for a few days or weeks and after obtaining what they are looking for, the attackers clean up and leave. In the future, we predict the number of small, focused ‘APT-to-hire’ groups to grow, specializing in hit-and-run operations; a kind of ‘cyber mercenary’ team for the modern world,” he said.
In addition to Japan and South Korea, many connections in several other countries were found, including China, the U.S., Australia, Canada, the U.K., Italy, Germany, Austria, Singapore, Belarus and Malaysia.
In total, Kaspersky Lab observed more than 4,000 uniquely infected IPs and several hundred victims (a few dozen Windows victims and more than 350 Mac OS X victims).
Based on the list of IPs used to monitor and control the infrastructure, Kaspersky Lab said some of the players behind this threat operation are either based in China, South Korea, Japan or any combo of the three.
The name “Icefog” comes from a string used in the command-and-control server name found in one of the malware samples analyzed by Kaspersky in Moscow and Woburn, Mass. They said that the command-and-control software was named “Dagger Three” (“尖刀三号”) when translated from the Chinese. For martial arts fans, “尖刀三号” is similar to “三尖刀”, which is an ancient Chinese weapon.
Icefog is distributed to targets via spear-phishing e-mails which can either have attachments or links to malicious websites. The attackers embed exploits for several known vulnerabilities into Microsoft MSFT +0.15% Word and Excel documents. Once these files are opened by the target, a backdoor is dropped onto the system and a decoy document is then showed to the victim, Kasperky said in its detailed 68 page report titled “The Icefog APT: A Tale of Cloak and Three Daggers.”
The “hit and run” nature of this operation is one of the things that make it unusual. While in other cases, victims remain infected for months or even years, and data is continuously stolen or copied, Icefog attackers appear to know exactly what they want. Once they get it, the victim is abandoned, often times not even knowing what hit them.