Cybersecurity firm Kaspersky Lab said Thursday that it’s discovered a group of “cyber-mercenaries” called “Icefog”. Target: government and military institutions.

Most of the victims have been in South Korea and Japan. But the Icefog campaign is coming to an American company near you, Kaspersky Lab security analysts said during the 4th Annual Billington Cybersecurity Summit in Washington DC today.

Icefog is an advanced persistent threat, or APT in cyber security parlance. Only, they’re different than the usual APT. These skilled high tech adversaries tend to gun for high-profile victims and stealthily infiltrate computer systems to snoop or steal valuable data over a long period of time. Such teams sometimes count tens or even hundreds of people mining terabytes or even petabytes of data.

There has been an increasing focus on attribution and pinpointing the sources of those slow burning ATP attacks, but not much is known about a new emerging trend: the smaller hit-and-run operations that are going after the supply chain and compromising targets with surgical, lightning fast precision.

Such is the world of Icefog.

“For the past few years, we’ve seen a number of APTs hitting pretty much all types of victims and sectors. In most cases, attackers maintain a foothold in corporate and governmental networks for years, smuggling out sensitive information,” said Costin Raiu, Director of Kaspersky’s Global Research & Analysis Team. “The attack usually lasts for a few days or weeks and after obtaining what they are looking for, the attackers clean up and leave. In the future, we predict the number of small, focused ‘APT-to-hire’ groups to grow, specializing in hit-and-run operations; a kind of ‘cyber mercenary’ team for the modern world,” he said.

In addition to Japan and South Korea, many connections in several other countries were found, including China, the U.S., Australia, Canada, the U.K., Italy, Germany, Austria, Singapore, Belarus and Malaysia.

In total, Kaspersky Lab observed more than 4,000 uniquely infected IPs and several hundred victims (a few dozen Windows victims and more than 350 Mac OS X victims).

Based on the list of IPs used to monitor and control the infrastructure, Kaspersky Lab said some of the players behind this threat operation are either based in China, South Korea, Japan or any combo of the three.

The name “Icefog” comes from a string used in the command-and-control server name found in one of the malware samples analyzed by Kaspersky in Moscow and Woburn, Mass. They said that the command-and-control software was named “Dagger Three” (“尖刀三号”) when translated from the Chinese. For martial arts fans, “尖刀三号” is similar to “三尖刀”, which is an ancient Chinese weapon.

Icefog is distributed to targets via spear-phishing e-mails which can either have attachments or links to malicious websites. The attackers embed exploits for several known vulnerabilities into Microsoft MSFT +0.15% Word and Excel documents. Once these files are opened by the target, a backdoor is dropped onto the system and a decoy document is then showed to the victim, Kasperky said in its detailed 68 page report titled “The Icefog APT: A Tale of Cloak and Three Daggers.”

The “hit and run” nature of this operation is one of the things that make it unusual. While in other cases, victims remain infected for months or even years, and data is continuously stolen or copied, Icefog attackers appear to know exactly what they want. Once they get it, the victim is abandoned, often times not even knowing what hit them.


USB 3.0 Hub 7 Port On/Off Switch High Speed Splitter AC Adapter Cable PC Laptop picture

USB 3.0 Hub 7 Port On/Off Switch High Speed Splitter AC Adapter Cable PC Laptop

$12.75



7 Port USB 3.0 Hub On/Off Switch High Speed Splitter AC Adapter Cable PC Laptop picture

7 Port USB 3.0 Hub On/Off Switch High Speed Splitter AC Adapter Cable PC Laptop

$10.99



8 Port PoE Switch With 2 Uplink 120W Extend to 250Meter Unmanaged 803.af/at picture

8 Port PoE Switch With 2 Uplink 120W Extend to 250Meter Unmanaged 803.af/at

$39.99



Acer Predator XB3 - 27

Acer Predator XB3 - 27" Monitor Full HD 1920x1080 240Hz IPS 16:9 1ms 400Nit HDMI

$199.99



Tenda SG105 5-Port 10/100/1000Mbps Gigabit Desktop Switch Ethernet Splitter Hub picture

Tenda SG105 5-Port 10/100/1000Mbps Gigabit Desktop Switch Ethernet Splitter Hub

$13.99



TP-Link 5 Port Gigabit Ethernet Network Switch TL-SG1005D Brand New unopened picture

TP-Link 5 Port Gigabit Ethernet Network Switch TL-SG1005D Brand New unopened

$12.99



Razer Huntsman Tournament Edition Linear Optical Switch Gaming Keyboard 88864193 picture

Razer Huntsman Tournament Edition Linear Optical Switch Gaming Keyboard 88864193

$55.00



10* Stylus Pen for Touch Screen Tablet Capacitive Stylist Pen fr Cell Phone iPad picture

10* Stylus Pen for Touch Screen Tablet Capacitive Stylist Pen fr Cell Phone iPad

$6.99



3 Port 4K HDMI 2.0 Cable Auto Splitter Switch Switcher 3x1 Adapter HUB 3D 3 to 1 picture

3 Port 4K HDMI 2.0 Cable Auto Splitter Switch Switcher 3x1 Adapter HUB 3D 3 to 1

$9.25



2.0 USB Hub 7 Port On/Off Switch High Speed Splitter AC Adapter Cable PC Laptop picture

2.0 USB Hub 7 Port On/Off Switch High Speed Splitter AC Adapter Cable PC Laptop

$7.49