Cybersecurity firm Kaspersky Lab said Thursday that it’s discovered a group of “cyber-mercenaries” called “Icefog”. Target: government and military institutions.

Most of the victims have been in South Korea and Japan. But the Icefog campaign is coming to an American company near you, Kaspersky Lab security analysts said during the 4th Annual Billington Cybersecurity Summit in Washington DC today.

Icefog is an advanced persistent threat, or APT in cyber security parlance. Only, they’re different than the usual APT. These skilled high tech adversaries tend to gun for high-profile victims and stealthily infiltrate computer systems to snoop or steal valuable data over a long period of time. Such teams sometimes count tens or even hundreds of people mining terabytes or even petabytes of data.

There has been an increasing focus on attribution and pinpointing the sources of those slow burning ATP attacks, but not much is known about a new emerging trend: the smaller hit-and-run operations that are going after the supply chain and compromising targets with surgical, lightning fast precision.

Such is the world of Icefog.

“For the past few years, we’ve seen a number of APTs hitting pretty much all types of victims and sectors. In most cases, attackers maintain a foothold in corporate and governmental networks for years, smuggling out sensitive information,” said Costin Raiu, Director of Kaspersky’s Global Research & Analysis Team. “The attack usually lasts for a few days or weeks and after obtaining what they are looking for, the attackers clean up and leave. In the future, we predict the number of small, focused ‘APT-to-hire’ groups to grow, specializing in hit-and-run operations; a kind of ‘cyber mercenary’ team for the modern world,” he said.

In addition to Japan and South Korea, many connections in several other countries were found, including China, the U.S., Australia, Canada, the U.K., Italy, Germany, Austria, Singapore, Belarus and Malaysia.

In total, Kaspersky Lab observed more than 4,000 uniquely infected IPs and several hundred victims (a few dozen Windows victims and more than 350 Mac OS X victims).

Based on the list of IPs used to monitor and control the infrastructure, Kaspersky Lab said some of the players behind this threat operation are either based in China, South Korea, Japan or any combo of the three.

The name “Icefog” comes from a string used in the command-and-control server name found in one of the malware samples analyzed by Kaspersky in Moscow and Woburn, Mass. They said that the command-and-control software was named “Dagger Three” (“尖刀三号”) when translated from the Chinese. For martial arts fans, “尖刀三号” is similar to “三尖刀”, which is an ancient Chinese weapon.

Icefog is distributed to targets via spear-phishing e-mails which can either have attachments or links to malicious websites. The attackers embed exploits for several known vulnerabilities into Microsoft MSFT +0.15% Word and Excel documents. Once these files are opened by the target, a backdoor is dropped onto the system and a decoy document is then showed to the victim, Kasperky said in its detailed 68 page report titled “The Icefog APT: A Tale of Cloak and Three Daggers.”

The “hit and run” nature of this operation is one of the things that make it unusual. While in other cases, victims remain infected for months or even years, and data is continuously stolen or copied, Icefog attackers appear to know exactly what they want. Once they get it, the victim is abandoned, often times not even knowing what hit them.


New Avaya JEM24 Expansion Module for J169 J179 J189 IP Phone 700514337 picture

New Avaya JEM24 Expansion Module for J169 J179 J189 IP Phone 700514337

$99.95



New Avaya Extreme networks EC4400E05-E6 - VSP 4450GSX-PWR+ NA P0 picture

New Avaya Extreme networks EC4400E05-E6 - VSP 4450GSX-PWR+ NA P0

$295.00



Avaya G650 AC/DC 440W Power Supply 655A RHS 700406135 picture

Avaya G650 AC/DC 440W Power Supply 655A RHS 700406135

$50.00



Avaya J179 Gigabit IP Phone (700512394) - Brand New w/1-Year Warranty picture

Avaya J179 Gigabit IP Phone (700512394) - Brand New w/1-Year Warranty

$145.95



Avaya ERS 3510GT-PWR+ Ethernet Routing Switch AL3500A14-E6 - Comes W/Power Cable picture

Avaya ERS 3510GT-PWR+ Ethernet Routing Switch AL3500A14-E6 - Comes W/Power Cable

$34.99



Avaya J179 8-line IP Phone 700513569 picture

Avaya J179 8-line IP Phone 700513569

$89.99



Avaya J129 IP Phone (700513638, 700512392) - Brand New, 1 Year Warranty picture

Avaya J129 IP Phone (700513638, 700512392) - Brand New, 1 Year Warranty

$38.50



Avaya 700513916 J139 IP PHONE - NEW picture

Avaya 700513916 J139 IP PHONE - NEW

$145.00



AVAYA IP Office IP400 700359847 Digital Station 30 V2 -PCS09 picture

AVAYA IP Office IP400 700359847 Digital Station 30 V2 -PCS09

$135.00



4x Avaya J159 700512394 Gigabit IP Phone Dual Color Screen Business Lot of 4 picture

4x Avaya J159 700512394 Gigabit IP Phone Dual Color Screen Business Lot of 4

$299.99