Small groups of what are best described as cyber-mercenaries, willing and able to perform surgically precise hit and run hacking operations, are offering their services for hire out of China, Japan and South Korea. That's the conclusion of security researchers at Kaspersky Lab who have been following the progress of a newly discovered espionage campaign, known as Icefog and targeting the supply chain in South Korea and Japan which feeds companies in the West.
Icefog is an APT, or Advanced Persistent Threat, and in the words of the Kaspersky Lab report a "small yet energetic" one. Although it appears to have started as long ago as 2011, it has only recently hit the radar with an upsurge in size in scope. The 'new' part of the APT equation in this case is the introduction of these cyber-mercenary gangs that are available for hire.
"For the past few years, we’ve seen a number of APTs hitting pretty much all kinds of victims and sectors. In most cases, attackers maintain a foothold in corporate and governmental networks for years, exfiltrating terabytes of sensitive information" says Costin Raiu, Director of Global Research & Analysis at Kaspersky Lab who continues "The hit and run nature of the Icefog attacks demonstrate a new emerging trend: smaller hit-and-run gangs that are going after information with surgical precision. The attack usually lasts for a few days or weeks and after obtaining what they were looking for, the attackers clean up and leave. In the future, we predict the number of small, focused APT-to-hire groups to grow, specialising in hit-and-run operations; sort of cyber mercenaries of the modern world."
The Icefog attackers appear to be targeting sectors such as military, shipbuilding and maritime operations, computers and software development, research companies, telecom operators, satellite operators, mass media and television. The research suggests defense industry contractors such as Lig Nex1 and Selectron Industrial Company, ship-building companies such as DSME Tech, Hanjin Heavy Industries, telecom operators such as Korea Telecom and media companies such as Fuji TV and the Japan-China Economic Association were the main targets. The attack itself involves the hit and run teams hijacking sensitive documents and company plans, e-mailing account credentials and passwords to access various resources inside and outside of the victim’s network. They can accomplish this courtesy of the Icefog backdoor which is also known as Fucobha, and has been found for both Microsoft Windows and Mac OS X.
While in most other APT campaigns, victims remain infected for months or even years and attackers are continuously exfiltrating data, Icefog operators are processing victims one by one - locating and copying only specific, targeted information. Once the desired information has been obtained, they leave. This would indicate that the attackers appear to know exactly what they need from the victims. They are looking for specific filenames, and these are then transferred to the Command & Control centre.
Kaspersky has sink holed 13 of the 70 or so domains being used by the attackers, and by doing so has got statistics on the number of victims worldwide. It also means that the encrypted logs of the victims together with the various operations performed on them by the operators can be used to identify targets and, potentially, the victims as well. In addition to Japan and South Korea, many sinkhole connections in several other countries were observed, including Taiwan, Hong Kong, China, USA, Australia, Canada, UK, Italy, Germany, Austria, Singapore, Belarus and Malaysia. In total, Kaspersky Lab observed more than 4000 unique infected IPs and several hundred victims (a few dozen Windows victims and more than 350 Mac OS X victims).