Kaspersky Lab has identified another Chinese APT campaign. Dubbed 'Icefog', the largely Japanese, Taiwanese and South Korean targets included a well-publicised attack on Japan's House of Representatives in 2011.
Kaspersky Lab and others have released a steady stream of research on what is starting to look like a thriving mostly Chinese industry selling hacking expertise and espionage to governments.
In recent weeks, Symantec published a paper on a major hacking-for-hire group it called 'Hidden Lynx' responsible for a large number of attacks while Kaspersky itself has uncovered evidence that North Korea was trying its hand at the same chicanery with its 'Kimsuky' Trojan.
Judging from Kaspersky's latest research, Icefog looks like a smaller player than Hidden Lynx or the notorious Comment Crew/APT1 convincingly blamed for a hugely successful raid on defence contractor QinetiQ.
At first Icefog doesn't look particularly innovative, pivoting on the same collection of tried and trusted spear-phishing and software exploit via email attacks techniques as every other APT campaign yet discovered. The aim is to gather address books, user credentials, and documents, including those created by Office and the South Korean Hangul word processor.
One interesting variation is a 'Macfog' beta variant targeting 64-bit OS X users. Seeded through Chinese bulletin boards to several hundred victims and masquerading as a graphics application, Kaspersky speculates that this might be a test run for a more featured version designed to attack the platform in a future version.
The campaign's defining characteristic is probably its command and control network, which uses a 'hit and run' model to set up an attack before disappearing in a month or two. This is an unusual tactic. Commercial criminals invest a lot of time and effort trying to protect their C&C; Icefog deliberately builds and dismantles it once the attack is over, a technique of obscuring its activities from security researchers.
This also makes it very hard to estimate the extent of Icefog's activity, Kaspersky said. Dating back to 2011 at least, it had a slower year in 2012 before an uptick in 2013, but this could just be another consequence of its temporary C&C design.
"For the past few years, we've seen a number of APTs hitting pretty much all kinds of victims and sectors. In most cases, attackers maintain a foothold in corporate and governmental networks for years, exfiltrating terabytes of sensitive information", said Kaspersky Lab's director of global research, Costin Raiu.
"The 'hit and run' nature of the Icefog attacks demonstrate a new emerging trend: smaller hit-and-run gangs that are going after information with surgical precision. The attack usually lasts for a few days or weeks and after obtaining what they were looking for, the attackers clean up and leave," he said.
"In the future, we predict the number of small, focused 'APT-to-hire' groups to grow, specialising in hit-and-run operations; sort of 'cyber mercenaries' of the modern world."
Sectors targeted included the military, shipbuilding, maritime, computing, research, telcos, satellite firms and the media. A range of Japanese and South Korean firms had been on the list including Lig Nex1, Selectron Industrial Company, Hanjin Heavy Industries, Korea Telecom, Fuji TV, and the the Japan-China Economic Association.
After sinkholing 14 of 70 detected C&C domains, the firm had discovered that 4,000 IP addresses had been infected, including 200 Windows PCs and 350 Macs. This was only a fraction of the true number of victims, Kaspersky said.
The motivation of the Icefog group was almost certainly commercial rather than ideological.
"In the future, we predict the number of small, focused APT-to-hire groups to grow, specializing in hit-and-run operations, a kind of 'cyber mercenaries' of the modern world," Kaspersky's report concludes.