The supply chain is the soft underbelly of both industry and the critical infrastructure. Big organizations often have big security; but their suppliers are often small companies with little or poor security. Those same suppliers sometimes have access to the big company websites and frequently receive confidential documents from them.
Kaspersky Lab has now published details on an APT group, which it calls Icefog for both the malware and the group, that is specifically targeting this supply chain with "surgical hit and run operations." Although not entirely new – Kaspersky has been monitoring the group since 2011 – Icefog represents "a new emerging trend: the smaller hit-and-run gangs that are going after the supply chain and compromising targets with surgical precision."
Traditional APT cyber espionage groups, sometimes with fifty or more members, choose a high profile major organization, infiltrate it, and remain hidden for months or even years, slowly exfiltrating gigabytes or even terabytes of data. Icefog appears to be different. It's a small group of elite hackers that hack, steal, clean up and leave. "In most cases," says Kaspersky, "the Icefog operators appear to already know very well what they need from the victims. They look for specific file names, which are identified and transferred to the C&C."
Kaspersky researchers have sinkholed 13 of the more than 70 domains known to be used by the attackers. This enabled the researchers to collect data and analyse the group's targets, and although Kaspersky is not releasing specific names (it is in contact with those it has identified "to help them identify and eradicate the infections") it suggests that the ultimate targets include defense companies, telecom operators and heavy industry primarily in South Korea, Japan and Taiwan.
The attack method is now fairly typical: spear-phishing emails that either contain weaponized Word, Excel or HWP documents (the last is a South Korean word processor widely used by South Korean government offices), or have links to a malicious website. The lure documents are specific to the target's interest. If opened, the decoy document is displayed, and a backdoor (that Kaspersky knows as Icefog, but is elsewhere known as Fucobha) is dropped onto the system.
Kaspersky started to study the group in June 2013, when the company received a malware sample that had targeted Fuji TV. "The spear-phishing e-mail contained a malicious attachment that dropped the Icefog malware," it says. "While analyzing the new attack, it became obvious this was a new version of the malware that attacked the Japanese Parliament in 2011. Considering the importance of the attack, we decided to do a thorough investigation."
Icefog gives the attackers wide ranging control of the infected system. Since the attackers seem to know what they are looking for, they are able to traverse the network until they find what they want, transfer it to the C&C, and leave. It is effectively hackers for hire and deliveries to order.