An advanced persistent threat (APT), named Icefog, has been detected; mostly targeting South Korean and Japanese supply chains, including: government institutions, military contractors, maritime and ship-building group, telecom operators, satellite operators, industrial and high technology companies and mass media.
Icefog, tracked by Kaspersky since 2011, was recently discovered in June 2013 following an attack sample which was retrieved from Fuji TV. Upon analysis, different variants were identified — 6 to be exact. It was also found that these attacks were essentially a newer form of an original attack on the Japanese Parliament in 2011.
Icefog follows an ongoing trend, consisting of a relatively small group of attackers that perform hit-and-run tasks with a focus on supply chain. The attack is done, initially, through spear-phishing emails — the victims get an email with an attachment or link to malicious sites with downloadable files. When the files are downloaded, a backdoor is dropped into the system, giving Icefog access to the machine. Then specific, sensitive information is extracted with surgical precision. Special to Icefog’s method of attack, once information has been acquired, the group moves on to another machine in sharp contrast to the usual, long-time infection that other APTs maintain.
So, who, in general, is susceptible to Icefog’s attack? Their attacks are done through the use of custom-made cyber espionage tools that act on Microsoft Windows and Apple Mac OSX, leaving Linux computers immune to hacking attempts. An Android variant is suspected to exist, but has not yet been found.
Considering some of the major tensions in East Asia, Icefog’s attack pattern begs the question “are these attacks sponsored by a state?” Usually, a state is inferred and determined based on the motivations of the campaign, which tends to last a long time. Because of the hit-and-run method of attack by Icefog, it’s hard to determine an overarching theme beyond supply chain and, thus, makes it difficult to pinpoint anyone. Though, it should be mentioned that, based on the IP addresses used to monitor and control the infrastructure, the ones that could be responsible for Icefog could be deduced to: China, South Korea, or Japan.
Fortunately, Kaspersky found a few command-and-control servers and sinkholed some of them — preventing access to hundreds of users. Additionally, Kaspersky is able to identify and neutralize all variants of Icefog. Despite the work being done towards these APTs, Kaspersky says that “In the future, [they] predict the number of small, focused APT-to-hire groups to grow, specializing in hit-and-run operations, a kind of ‘cyber mercenaries’ of the modern world.”