Kaspersky Lab confirmed uncovering the Icefog campaign in its The Icefog APT: A Tale of Cloak and Three Daggers threat report. The researchers said the campaign has been active since at least 2011 and has hit a number of high profile targets.
"Icefog is an Advanced Persistent Threat that has been active since at least 2011, targeting mostly Japan and South Korea. Known targets include government institutions, military contractors, maritime and shipbuilding groups, telecom operators, industrial and high-tech companies and mass media," read the report.
"There are versions for both Microsoft Windows and Mac OS X. In its latest incarnation, Icefog doesn't automatically exfiltrate data, instead it is operated by the attackers to perform actions directly on the victim's live systems."
Principal security researcher at Kaspersky, Lab Vitaly Kamluk told V3 the attacks are particularly dangerous as they use an atypical, real-time strategy tailored to the victim's systems making. "The Windows machines are infected through ‘hit and run' targeted attacks - a fact that makes Icefog a very unique operation," he said.
"While in other APT campaigns, victims remain infected for months or even years and attackers are continuously exfiltrating data, Icefog operators are processing victims one by one - they locate and copy only specific, targeted information. They set up command-and-control servers, create a malware sample that interacts with it, attack the victim, infect it, and communicate with the victim machine before moving on.
"The nature of the attacks is also very focused - in many cases, the Icefog operators appear to know very well what they need from the victims. The filenames were quickly identified, archived, transferred to the C&C and then the victim was abandoned. Basically, the attackers come, steal what they want and leave."
Kamluk said the attacks hit-and-run nature makes detecting Icefog attacks particularly difficult as it requires them to forensically examine each specific raid on a case-by-case basis, rather than look for general trends.
"While in other cases, victims remain infected for months or even years, and data is continuously exfiltrated, the Icefog attackers appear to know very well what they need from the victims. Once the information is obtained, the victim is abandoned. The shortest amount of time the Icefog attackers spent in the victim's network is a few hours. Before leaving the network, they clean up the system, not to leave traces," he said.
He added the variety of victims indicates the hackers operate on a "for hire" basis, renting their services out to the highest bidder.
"Icefog is a small hit-and-run gang available for hire that attack organisations with surgical precision. Unlike other APT gangs that consist of tens of people (for example NetTraveler which had a team of 50-to-100 people), there are just six-to-12 people in it," he said.
Kamluk said cyber mercenary gangs are a growing problem facing the security community and he expects to see more groups-for-hire mounting similar operations in the very near future. "The discovery of this gang exposes a new trend - the emergence of ‘cyber-mercenaries' - an organised group of people conducting cyber-espionage/cyber-sabotage activities on demand, after order of anyone who pays money," he said.
"This is something new in the area of targeted attacks. And we expect this trend to grow in future, and more small groups of cyber-mercenaries will be available for hire to perform surgical hit and run operations."
He added the hackers' refined attack strategy makes tracking them difficult, but there is evidence to suggest they may be based in China.
"The ‘for hire' nature of the attack makes attribution difficult. Exfiltrated data could be converted into money or used for cyber-espionage purposes. So it may be a nation-state sponsored cyber-espionage/surveillance operation (in cases when attackers were after the budget of Army of one of the countries), or a financially-motivated cyber-criminal operation (in cases when they were after specific blueprints related to design and technologies) - even both if the gang had several different contractors," he said.
"Based on the list of IPs used to monitor and control the infrastructure, we assume some of the threat actors behind this operation are based in at least three countries: China (the largest number of connections), South Korea and Japan."
State sponsored hacker teams have been a growing problem facing industry, with numerous reports breaking suggesting intelligence are hiring independent groups for cyber offensive operations.
Most recently, F-Secure chief research officer Mikko Hypponen reported uncovering evidence that the NSA's Tailored Access Operations (TAO) unit and GCHQ are outsourcing missions to third-party security companies.
No comments:
Post a Comment