'Icefog' spying operation targeted Japan, South Korea

Kaspersky Lab says the Icefog attackers appeared to know what files they needed from victims

Kaspersky Lab says a hacking campaign called Icefog targeted organizations in Japan and South Korea with phishing emails laden with malware.

Kaspersky Lab says a hacking campaign called Icefog targeted organizations in Japan and South Korea with phishing emails laden with malware.

A hacking group that targeted Japan's parliament in 2011 is believed to have conducted nimble data thefts against organizations mainly in South Korea and Japan, including defense contractors, over the past two years.

The "Icefog" hackers probed victims one by one, carefully copying select files and then exiting the systems, according to security vendor Kaspersky Lab, which released a 68-page report on the group Wednesday.

"The nature of the attacks was also very focused," Kaspersky wrote. "In many cases, the attackers already knew what they were looking for."

Over the past several years, security analysts have noticed an uptick in so-called "advanced persistent threat" (APT) attacks, where interlopers plant stealthy malware on networks for cyber spying.

"In the future, we predict the number of small, focused APT-to-hire groups to grow, specializing in hit-and-run operations, a kind of 'cyber mercenaries' of the modern world," the report said.

Kaspersky did not name the organizations that were victimized, but did name a few targeted by Icefog. A private report with more information is available to governments, the company said.

Those targeted included the defense contractors Lig Nex1 and Selectron Industrial Company; two shipbuilding companies, DSME Tech and Hanjin Heavy Industries; Korea Telecom, Fuji TV and the Japan-China Economic Association. Kaspersky said the naming of those companies did not imply the Icefog attacks were successful.

Icefog was detected in 2011 after the group targeted Japan's parliament, and its campaign has continued through this year, Kaspersky said.

Based on where the stolen data was transferred to, Kaspersky wrote the attackers are assumed to be in China, South Korea and Japan.

The hackers target victims by email, sending malicious attachments or links to websites that will attack the victim's computer if it has software vulnerabilities in programs such as Microsoft Word, Adobe Reader or within the operating system.

Mac OS X systems are also targeted. Kaspersky counted 4,500 IP addresses that were infected, which belonged to more than 430 victims. The Macfog malware, which purported to be a graphics application, popped up late last year on several Chinese-language forums.

"The Mac OS X backdoor currently remains largely undetected by security solutions and has managed to infect several hundred victims worldwide," the report said.

Once a computer has been compromised, the hackers upload malicious tools and backdoors. They look for email account credentials, sensitive documents and passwords to other systems, Kaspersky said.

After the hackers find what they're looking for, the Icefog attackers tend to exit the systems.

"The 'hit and run' nature of this operation is one of the things that make it unusual," the report said. "While in other cases, victims remain infected for months or even years, and data is continuously exfiltrated, the Icefog attackers appear to know very well what they need from the victims."

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionsecuritydata breachdata protectionmalwarekaspersky lab

More about Adobe SystemsAPTFujiKasperskyKasperskyMicrosoftSelectron

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts