Icefog: Mercenary Hackers Conduct New Cyber Espionage Campaigns

Icefog: Mercenary Hackers Conduct New Cyber Espionage Campaigns

This post is also available in: heעברית (Hebrew)

A New trend: Small, mercenary hacker groups conduct precise “hit and run” operations.

20367492_sA new report by Kaspersky Lab discusses Icefog, a small but active hacker group focusing on South Korean and Japanese targets. The group’s activities have already caused significant amounts of damage to the supply chains of western companies. The group began its operations in 2011, and has expanded considerably since then.

“Over the last few years we’ve noticed a few persistent threats targeting almost all types of sectors and victims. Usually the attacker maintains access to the organization’s networks for years, and steals many terabytes’ worth of sensitive information”, said a Kaspersky Lab top researcher. “The “hit and run” Icefog activities are part of a new trend of small groups who conduct quick, precise hacking operations. The attack usually lasts for days or weeks, after getting what they came for the attackers clean up and leave. Kaspersky’s analysis is that more attacks of this sort in the future by these types of small, hit-and-run groups, the new “online mercenaries” of the modern world.

Main findings:

  • Based on the target profiles, the attackers have shown interest in the following areas: Military, shipbuilding and naval activities, computers and software development, research companies, telecom, satellite operators, mass media and television.
  • The research shows that the attackers were interested in defense industry contractors such as Lig Nex 1 and Selectron Industries, shipbuilding companies such as DSME Tech and Hanjin Heavy Industries, Telecom companies such as Korea Telecom and communications companies such as Fuji TV.
  • The attackers access sensitive documents and programs, email accounts, and other resources inside and outside the network.
  • During the activity the attackers used the Icefog backdoor array (also called Fucobha). Security experts identified Icefog versions for Windows and Mac OS X.
  • The Icefog attacks are very focused and last for an unusually short amount of time. The hackers target specific data, and leave once they have it.
  • In most cases the Icefog operators knew exactly what they were looking for on the client’s network. They look for specific file names, quickly identifying them and transferring them to the command and control center.

iHLS – Israel Homeland Security

Methods of attack:

The researchers uncovered 13 out of the 70 domains used by the attackers, and this allowed them to find out how many victims were targeted throughout the world. The Icefog command and control servers also keep encrypted “victim logs”, in addition records of other activities executed on them. The logs can be used to find out what the hackers were looking for, and sometimes to actually discover the identity of the victims. In addition to Japan and Korea, other countries hit by the group include Taiwan, Hong Kong, China, U.S., Italy, Britain, Germany, Austria, Singapore, Belarus and Malaysia. All in all the researchers discovered more than 4,000 infected IP addresses, and several hundred victims (dozens of Windows users and more than 350 Mac users). Based on the IP addresses used to control the infrastructure, experts believe that those responsible for the attacks are based in three countries: China, South Korea and Japan.