Recent reports in the media are detailing how various government, media and technology companies in Japan and South Korea were victims of a new kind of cyberattack dubbed Icefog. The attacks originated in China and are the work of cybercriminals hired on a project basis, according to Kaspersky Lab. The attackers appeared to know exactly what they were trying to steal, and they left as soon as they found it. In many circles, the Icefog attacks have been called “hit-and-run APTs” – an oxymoron so blatant that it makes my head hurt. However, semantics aside, this trend of relatively focused, contracted attacks will likely have an effect on how the industry deals with advanced threats moving forward.
First and foremost, the strategy could make the already difficult job of attack attribution even more daunting. With other attacks, attribution only becomes possible when analysts have the opportunity to directly monitor a live and ongoing attack. By shortening the scope of the attack, it’s far less likely that response teams will get the chance to analyze Icefog in situ, so to speak. This means that the investigation may be limited to analyzing whatever artifacts the attackers have left behind in logs, which obviously would limit the data available that could be used for attribution.
When discussing the Icefog campaign, Kaspersky researchers commented on this very trend.
“… these polished APT groups (have) become much better at flying under the radar,” said Kaspersky Lab researcher Kurt Baumgartner. “Finding a pattern in all the noise is not easy. It’s becoming harder and harder to identify the patterns and connect them with a group.” (Italics are mine).
However, this is also just the beginning of the complexity. The ultimate goal of attribution, of course, is to understand who is really behind a particular attack. A cottage industry of targeted attackers that can be hired to steal specific information would allow the true source of the attack to hide behind a web of contractors. A company could hire attackers to steal intellectual property from a competitor without having to expose themselves to the risk of committing the crime themselves. The same is obviously true for nation-state sponsored espionage. Offending nations could always deny responsibility and point their fingers at organized crime.
And frankly this is a recipe that is custom-made for organized crime. Information attacks by organized crime have grown increasingly more sophisticated and professional over the past several years. However, the vast majority of these operations have remained focused on attacks that could be directly monetized; banking botnets, credit card theft, online fraud and click-fraud have been the most popular. If contracted attacks become more common, this could potentially move criminal groups up the food chain. It’s certainly too early to predict how such a situation would ultimately play out, but it is easy to imagine a world where organized crime rings act as criminal mercenaries working for nation-states.
To combat this threat, the security industry needs to work together and share information. For example, if an organization suffers an Icefog attack, it should share whatever it can find in its log files with others. As I mentioned previously, hit-and-run APTs are challenging to attribute to any one party since that they can’t be studied while they’re occurring. However, if a shared pool of post-attack forensic data were available industry wide, the chances of identifying the cybercriminals responsible for these attacks would increase. With the alarming growth in the number and sophistication of cyberattacks that have been reported in recent months, collaboration may be the security industry’s best defense.
Related Podcast: Inside the Icefog APT Attacks