Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

The Challenges in Analyzing ‘Bite-Sized’ Attacks

Recent reports in the media are detailing how various government, media and technology companies in Japan and South Korea were victims of a new kind of cyberattack dubbed Icefog. The attacks originated in China and are the work of cybercriminals hired on a project basis, according to Kaspersky Lab.

Recent reports in the media are detailing how various government, media and technology companies in Japan and South Korea were victims of a new kind of cyberattack dubbed Icefog. The attacks originated in China and are the work of cybercriminals hired on a project basis, according to Kaspersky Lab. The attackers appeared to know exactly what they were trying to steal, and they left as soon as they found it. In many circles, the Icefog attacks have been called “hit-and-run APTs” – an oxymoron so blatant that it makes my head hurt. However, semantics aside, this trend of relatively focused, contracted attacks will likely have an effect on how the industry deals with advanced threats moving forward.

First and foremost, the strategy could make the already difficult job of attack attribution even more daunting. With other attacks, attribution only becomes possible when analysts have the opportunity to directly monitor a live and ongoing attack. By shortening the scope of the attack, it’s far less likely that response teams will get the chance to analyze Icefog in situ, so to speak. This means that the investigation may be limited to analyzing whatever artifacts the attackers have left behind in logs, which obviously would limit the data available that could be used for attribution.

When discussing the Icefog campaign, Kaspersky researchers commented on this very trend.

“… these polished APT groups (have) become much better at flying under the radar,” said Kaspersky Lab researcher Kurt Baumgartner. “Finding a pattern in all the noise is not easy. It’s becoming harder and harder to identify the patterns and connect them with a group.” (Italics are mine).

However, this is also just the beginning of the complexity. The ultimate goal of attribution, of course, is to understand who is really behind a particular attack. A cottage industry of targeted attackers that can be hired to steal specific information would allow the true source of the attack to hide behind a web of contractors. A company could hire attackers to steal intellectual property from a competitor without having to expose themselves to the risk of committing the crime themselves. The same is obviously true for nation-state sponsored espionage. Offending nations could always deny responsibility and point their fingers at organized crime.

And frankly this is a recipe that is custom-made for organized crime. Information attacks by organized crime have grown increasingly more sophisticated and professional over the past several years. However, the vast majority of these operations have remained focused on attacks that could be directly monetized; banking botnets, credit card theft, online fraud and click-fraud have been the most popular. If contracted attacks become more common, this could potentially move criminal groups up the food chain. It’s certainly too early to predict how such a situation would ultimately play out, but it is easy to imagine a world where organized crime rings act as criminal mercenaries working for nation-states.

To combat this threat, the security industry needs to work together and share information. For example, if an organization suffers an Icefog attack, it should share whatever it can find in its log files with others. As I mentioned previously, hit-and-run APTs are challenging to attribute to any one party since that they can’t be studied while they’re occurring. However, if a shared pool of post-attack forensic data were available industry wide, the chances of identifying the cybercriminals responsible for these attacks would increase. With the alarming growth in the number and sophistication of cyberattacks that have been reported in recent months, collaboration may be the security industry’s best defense.

Related Podcast: Inside the Icefog APT Attacks

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.