Kaspersky Lab has uncovered details on what they believe is a small yet sophisticated and determined group of attackers targeting several industrial and high tech organizations in South Korea and Japan.
Kaspersky identifies the cyber-espionage campaign as “Icefog”, with researchers describing the tactics used as “hit and run” attacks against very specific targets with “surgical precision”.
“We believe this is a relatively small group of attackers that are going after the supply chain — targeting government institutions, military contractors, maritime and ship-building groups, telecom operators, satellite operators, industrial and high technology companies and mass media, mainly in South Korea and Japan,” Kaspersky Lab experts wrote in a post to the company’s Securelist blog late Wednesday.
According to Kaspersky, the attackers targeted, but did not necessarily compromise, defense industry contractors such as Lig Nex1 and Selectron Industrial Company, shipbuilding companies such as DSME Tech, Hanjin Heavy Industries, telecom operators such as Korea Telecom, media companies such as Fuji TV and the Japan-China Economic Association.
The operation commenced in 2011, the report said, and has increased in size and scope over the last few years, and includes successful attacks against the Japanese House of Representatives and the House of Councillors in 2011.
In total, Kaspersky Lab said that it has observed more than 4,000 unique infected IPs and several hundred victims.
“At its core, Icefog is a backdoor that serves as an interactive espionage tool that is directly controlled by the attackers,” the Russian security firm explained. “It does not automatically exfiltrate data but is instead manually operated by the attackers to perform actions directly on the infected live systems. During Icefog attacks, several other malicious tools and backdoors are uploaded to the victims’ machines for lateral movement and data exfiltration.”
The attackers apparently know what they are after and target sensitive documents and company plans, email account credentials, and passwords to access various resources inside and outside the victim’s network, Kaspersky said.
Interestingly, after the attackers get what they want, they leave and don’t hang around looking for more.
“While in most other APT campaigns, victims remain infected for months or even years and attackers continuously steal data, Icefog operators process victims one by one, locating and copying only specific, targeted information. Once the desired information has been obtained, they leave,” Kaspersky noted.
“For the past few years, we’ve seen a number of APTs hitting pretty much all types of victims and sectors. In most cases, attackers maintain a foothold in corporate and governmental networks for years, smuggling out terabytes of sensitive information,” said Costin Raiu, Director, Global Research & Analysis Team. “The ‘hit and run’ nature of the Icefog attacks demonstrate a new emerging trend: smaller hit-and-run gangs that go after information with surgical precision. The attack usually lasts for a few days or weeks and after obtaining what they were looking for, the attackers clean up and leave. In the future, we predict the number of small, focused ‘APT-to-hire’ groups to grow, specializing in hit-and-run operations; a kind of ‘cyber mercenary’ team for the modern world.”
Versions of Icefog have been identified for both Microsoft Windows and Mac OS X systems. However, while Kaspersky Lab was able find more than 350 Mac OS X infections, they haven’t identified victims of targeted attacks that were infected with Icefog, but they do believe they exist.
Most Mac OS X victims (95%) are in China, according to the report, as the Mac version was being spread through Chinese bulletin boards which could have been a beta-testing phase for Mac OS X versions to be used in targeted attacks down the road.
Through extensive analysis of code and the IP addresses used to monitor and control the infrastructure, Kaspersky researchers have made the assumption that some of the players behind the threat operation are based in at least three countries: China, South Korea and Japan,” with the largest number stemming from China.
Kaspersky said additional information on attribution is available in a private report available to governments.
Kaspersky’s team has managed to sinkhole 13 of the 70+ domains used by the attackers so far, which helped them generate statistics on the number of victims. Additionally, the Icefog command and control servers kept encrypted logs of their victims along with the various operations performed on them, which can assist in identifying the targets of the attacks and possibly the victims.
According to the report, in addition to Japan and South Korea, many sinkhole connections in other other countries were seen, including connections in Taiwan, Hong Kong, China, the USA, Australia, Canada, the UK, Italy, Germany, Austria, Singapore, Belarus and Malaysia.
While the focus of the Icefog attacks has been mainly in South Korea and Japan, Kaspersky researchers say it is likely that the crew targets organizations in the Western world as well, including the U.S. and Europe.
Depending on the level of malicious intent by the attackers and their success in penetrating companies connected to the technology supply chain, the fallout of these attacks or similar attacks could be serious.
Less than a year ago, Gartner analysts warned that IT supply chain integrity issues are real, and would have mainstream enterprise IT impact within the next five years.
Gartner is not the only group voicing concern over risks in the IT supply chain. A March 2012 report from Northrop Grumman prepared for the U.S.-China Economic and Security Review Commission warned that “Successful penetration of a supply chain such as that for telecommunications industry has the potential to cause the catastrophic failure of systems and networks supporting critical infrastructure for national security or public safety.”
In March 2012, “The Open Group,” a consortium of supply chain experts, shared details on standards designed to improve the security of the global supply chain for commercial software and hardware products.
“The modern supply chain depends upon a complex and interrelated network involving the movement of goods, services, funds, and information across a wide range of global participants, making it vulnerable to increasingly sophisticated cyberattacks and an ever increasing range of breaches and disruptions,” Andras Szakal, vice president and chief technology officer, IBM U.S. Federal, said previously.
The U.S. Department of Defense has also showed awareness of these supply-chain risks, and initiated a Supply Chain Risk Management (SCRM) policy and strategy to address the vulnerabilities.
According to a U.S. Department of Defense report (DTM 09-016) from March 2010, “A pilot program is under way, with the objective of live application by FY 2016, to implement “a SCRM capability that integrates program protection planning, enterprise architecture, counterintelligence, information assurance, systems engineering, procurement, enhanced test and evaluation, and other measures to mitigate supply chain risk.”
Kaspersky used the name “Icefog” because of a string used in the command-and-control server (C&C) name of one of the malware samples they analyzed.
In the video below, Vitaly Kamluk, a principal security researcher on Kaspersky Lab’s Global Research and Analysis team, describes Icefog in more detail.
Kaspersky Lab has published a full report (PDF) with a detailed description of the backdoors and other malicious tools used in Icefog, along with indicators of compromise (IOC). An FAQ is also available.