Kaspersky Lab's security research team has uncovered a "small yet energetic" group of advanced persistent threat (APT) actors that focuses on targets in South Korea and Japan, going after the supply chain for Western companies.
The attacks target the military, shipbuilding and maritime operations, research companies, telecom operators, satellite operators, mass media and television, and hijack sensitive documents and company plans, e-mail account credentials, and passwords.
Dubbed "Icefog", the operation commenced in 2011, but has increased in size and widened its scope over the last few years, Kaspersky Lab says. The threat lends its name from a string used in the command-and-control server name in one of the samples.
There are versions for both Microsoft Windows and Mac OS X.
Costin Raiu, director of Kaspersky Lab's Global Research and Analysis Team, says Icefog is highly targeted. Instead of automatically exfiltrating data, it is operated by the attackers to perform actions directly on the victim's live systems.
He says while most other APT campaigns see victims remaining infected for months or even years, with attackers lurking on their networks, continuously stealing information, Icefog is different. It operates with almost surgical precision - locating and copying only specific, targeted information.
In another indication of how targeted these attacks are, the documents used as lures for spear-phishing are specific to the target's interest.
Kaspersky Lab noted that during these attacks, other malicious tools and backdoors were uploaded to target computers for data exfiltration and lateral movement around the victims' systems.
Cyber mercenaries
According to Raiu, the nature of its attacks highlight an emerging trend - smaller hit-and-run gangs that go after information with surgical precision.
Its attacks last a matter of days or weeks, and once they have what they came for, the threat actors clean up and leave.
"In the future, we predict the number of small, focused 'APT-to-hire' groups to grow, specialising in hit-and-run operations; a kind of 'cyber mercenary' team for the modern world."
Kaspersky Lab's Global Research and Analysis Team has, to date, noted six variants of Icefog and has been able to sinkhole 13 domains used in the attacks, capturing snapshots of the malware employed, and logs detailing the victims and interaction with command and control servers.
To read the full report, click here.
Share