Chinese 'Icefog' gang attacks Asian countries using 'hit and run' APTs

Traced to clutch of past attacks

Kaspersky Lab has identified another Chinese APT campaign. Dubbed 'Icefog', the largely Japanese, Taiwanese and South Korean targets included a well-publicised attack on Japan's House of Representatives in 2011.

Kaspersky Lab and others have released a steady stream of research on what is starting to look like a thriving mostly Chinese industry selling hacking expertise and espionage to governments.

In recent weeks, Symantec published a paper on a major hacking-for-hire group it called 'Hidden Lynx' responsible for a large number of attacks while Kaspersky itself has uncovered evidence that North Korea was trying its hand at the same chicanery with its 'Kimsuky' Trojan.

Judging from Kaspersky's latest research, Icefog looks like a smaller player than Hidden Lynx or the notorious Comment Crew/APT1 convincingly blamed for a hugely successful raid on defence contractor QinetiQ.

At first Icefog doesn't look particularly innovative, pivoting on the same collection of tried and trusted spear-phishing and software exploit via email attacks techniques as every other APT campaign yet discovered. The aim is to gather address books, user credentials, and documents, including those created by Office and the South Korean Hangul word processor.

One interesting variation is a 'Macfog' beta variant targeting 64-bit OS X users. Seeded through Chinese bulletin boards to several hundred victims and masquerading as a graphics application, Kaspersky speculates that this might be a test run for a more featured version designed to attack the platform in a future version.

The campaign's defining characteristic is probably its command and control network, which uses a 'hit and run' model to set up an attack before disappearing in a month or two. This is an unusual tactic. Commercial criminals invest a lot of time and effort trying to protect their C&C; Icefog deliberately builds and dismantles it once the attack is over, a technique of obscuring its activities from security researchers.

This also makes it very hard to estimate the extent of Icefog's activity, Kaspersky said. Dating back to 2011 at least, it had a slower year in 2012 before an uptick in 2013, but this could just be another consequence of its temporary C&C design.

"For the past few years, we've seen a number of APTs hitting pretty much all kinds of victims and sectors. In most cases, attackers maintain a foothold in corporate and governmental networks for years, exfiltrating terabytes of sensitive information", said Kaspersky Lab's director of global research, Costin Raiu.

"The 'hit and run' nature of the Icefog attacks demonstrate a new emerging trend: smaller hit-and-run gangs that are going after information with surgical precision. The attack usually lasts for a few days or weeks and after obtaining what they were looking for, the attackers clean up and leave," he said.

"In the future, we predict the number of small, focused 'APT-to-hire' groups to grow, specialising in hit-and-run operations; sort of 'cyber mercenaries' of the modern world."

Sectors targeted included the military, shipbuilding, maritime, computing, research, telcos, satellite firms and the media. A range of Japanese and South Korean firms had been on the list including Lig Nex1, Selectron Industrial Company, Hanjin Heavy Industries, Korea Telecom, Fuji TV, and the the Japan-China Economic Association.

After sinkholing 14 of 70 detected C&C domains, the firm had discovered that 4,000 IP addresses had been infected, including 200 Windows PCs and 350 Macs. This was only a fraction of the true number of victims, Kaspersky said.

The motivation of the Icefog group was almost certainly commercial rather than ideological.

"In the future, we predict the number of small, focused APT-to-hire groups to grow, specializing in hit-and-run operations, a kind of 'cyber mercenaries' of the modern world," Kaspersky's report concludes.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal Techsymantecsecuritykaspersky lab

More about APTFujiKasperskyKasperskyLynx CorporationMacsSelectronSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place