APT for Hire: Icefog Evolves Beyond Surgical Hit-and-Run Strikes with Javafog

Icefog has so far claimed thousands of unique infected IPs and several hundred victims
Icefog has so far claimed thousands of unique infected IPs and several hundred victims

Carried out by small groups of cyber-mercenaries, Icefog has so far claimed thousands of unique infected IPs and several hundred victims. Kaspersky Lab’s research team originally characterized Icefog in an analysis as a “small yet energetic APT” focused on targets in South Korea and Japan that make up part of the supply chain for Western companies. The attackers hijack sensitive documents and company plans, email account credentials, and passwords to access various resources inside and outside the victim’s network.

The operation started in 2011 and has increased in size and scope over the last few years, the firm found. Based on the profiles of known targets, the attackers appear to have an interest in a range of sectors: military, shipbuilding and maritime operations, computers and software development, research companies, telecom operators, satellite operators, mass media and television. Some of the target names are big: defense industry contractors such as Lig Nex1 and Selectron Industrial Company, ship-building companies such as DSME Tech, Hanjin Heavy Industries, telecom operators such as Korea Telecom and media companies such as Fuji TV and the Japan-China Economic Association.

“For the past few years, we’ve seen a number of APTs hitting pretty much all kinds of victims and sectors,” said Costin Raiu, director of the global research and analysis team at Kaspersky Lab. “In most cases, attackers maintain a foothold in corporate and governmental networks for years, exfiltrating terabytes of sensitive information.”

The groups carrying the attacks out are an emerging cadre of criminal gangs, available for hire to perform surgical hit-and-run operations. These Icefog operators are processing victims one by one – locating and copying only specific, targeted information. Once the desired information has been obtained, they leave.

“The attack usually lasts for a few days or weeks, and after obtaining what they were looking for, the attackers clean up and leave,” Raiu explained. “In the future, we predict the number of small, focused APT-to-hire groups to grow, specializing in hit-and-run operations; sort of ‘cyber mercenaries’ of the modern world.”

Now, the attackers are expanding their scope. As before, they're using variants of the Icefog backdoor set, which targets both Microsoft Windows and Mac OS X. It’s stealthy, and victims could remain infected for months or even years, as attackers continuously exfiltrate data, the researchers found. Javafog appears to be designed to do just that. The infection vector uses Java vulnerabilites and compromised applets.

“In one particular case, we observed the attack commencing by exploiting a Microsoft Office vulnerability, followed by the attackers attempting to deploy and run Javafog, with a different C&C,” researchers said in a blog. “We can assume that based on their experience, the attackers found the Java backdoor to be more stealthy and harder to notice, making it more attractive for long term operations (most Icefog operations being very short – the hit-and-run type).”

Javafog also has a focus on US targets.

“This could indicate a US-specific operation run by the Icefog attackers; one that was planned to take longer than usual, such as, for instance, long-term collection of intelligence on the target,” they noted. “This brings another dimension to the Icefog gang's operations, which appear to be more diverse than initially thought.”

Kaspersky researchers have sinkholed the Javafog domain, and notified the victims, it said.

What’s hot on Infosecurity Magazine?