Security Experts:

'Icefog' Cyber Attacks Targeted US Energy Firms Using Java Backdoor

After shutting down operations, the Icefog APT campaign shows new evidence of victims in the United States.

In September 2013, Kaspersky Lab uncovered details on an attack campaign targeting several industrial and high tech organizations in South Korea and Japan. Kaspersky identified the cyber-espionage campaign as "Icefog”, with researchers previously describing the tactics used as “hit and run” attacks against very specific targets with “surgical precision”. That appears to have changed, as ongoing monitoring of the cyber-espionage campaign has found that attackers zoned in on more targets than previously thought, including organizations in the United States.

Based on the IP address of an infected system, one victim was identified as a very large American-based Oil and Gas company with operations in many other countries.

The name "Icefog" was used because of a string used in the command-and-control server (C&C) name of one of the malware samples they analyzed.

Icefog MalwareAfter publishing their report last year and sinkholing several domains, Kaspersky researchers said the Icefog attackers “went completely dark” and had shut down all known command-and-control servers.

“Icefog offensive activity terminated quickly after the report, and accordingly, victims and organizations began to identify compromised systems and cleanup in the following weeks and months,” Kurt Baumgartner, Principal Security Researcher, Kaspersky Lab, told SecurityWeek. “The sharpest drop-off in activity appeared to be in the Dec – January timeframe, where check-ins declined approximately 75 percent.”

While offensive activity may have ended, during their ongoing monitoring, researchers saw what they describe as an "interesting type of connection" indicating the existance of a Java version of Icefog, which researchers are calling “Javafog”.

Kaspersky researchers previously had discovered 6 different variations of the malware targeting Windows PCs, along with a native Mac OS X version of Icefog.

While a Mac-based version was previously detected in the wild, mainly being spread through Chinese bulletin boards, Kaspersky had not previously identified a Mac OS X victim. Now, according to the Russian security firm, it has been determined that the Mac-based version infected several hundred victims across the globe.

While one US-based energy firm was identified as a victim, it certainly was not the only target Icefog/Javafog has gone after, and it’s not surprising that attackers continue to target critical infrastructure companies.

According to a report from Symantec released this month, between July 2012 to June 2013, Symantec saw an average of 74 targeted attacks per day across the globe. Of these, nine attacks per day targeted the energy sector.

“The focus on the US targets associated with the only known Javafog C&C could indicate a US-specific operation run by the Icefog attackers; one that was planned to take longer than usual, such as, for instance, long term collection of intelligence on the target,” Kaspersky researchers noted on the company’s Securelist blog. “This brings another dimensions to the Icefog gang’s operations, which appear to be more diverse than initially thought.”

Through their efforts, Kaspersky Lab’s experts were able to identify 72 different command-and-control servers, and managed to sinkhole 27 of them. “The truth is that even at the time of writing, detection for Javafog is extremely poor (3/47 on VirusTotal),” the researchers said. “Java malware is definitively not as popular as Windows PE malware, and can be harder to spot.”

One domain that Kaspersky Lab was able to take control of due to an expired domain registration, was lingdona[dot]com.

According to Kaspersky Lab, the domain was originally hosted in Hong Kong, at IP 206.161.216.214 and 103.20.195.140, and appeared suspicious because of the registration data, which were similar to other known Icefog domains.

When Kaspersky’s team sinkholed the domain, researchers witnessed suspicious connections happening almost every 10 seconds, with the User-Agent string indicating the client could be a Java application—something unusual as all other Icefog variants used IE User-Agent strings.

At the time, Kaspersky Lab did not have a malware sample of the Java-based Icefog Trojan, but was later able to find one, which had a JAR file that appeared to be created on Nov. 30, 2012. Upon startup, the malware attempts to register itself as a startup entry to achieve persistence, the researchers explained, and then writes a registry value to ensure it is automatically started by Windows. After being successfully installed, the malware sends the full system information profile, which the attackers can use to determine if the victim could be a target of interest.

“The backdoor doesn’t do much else,” the researchers noted. “It allows the attackers to control the infected system and download files from it. Simple, yet very effective.”

In one incident, researchers witnessed an attack that exploited a Microsoft Office vulnerability, followed by the attackers attempting to deploy and run Javafog, calling back to a different C&C.

After sinkholing the lingdona[dot]com" domain, Kaspersky observed 8 IPs for three unique victims of Javafog, all of them in the United States.

“When a tool works for targeted attack campaigns, it’s duration of use is extended,” Baumgartner said. “We have seen backdoors from other campaigns used for years too. I think that this tool’s extended half-life demonstrates that Javafog distribution was very focused and limited, and that Java backdoors can be difficult to identify and prevent for defenders.”

Previous analysis by Kaspersky Lab of the code and the IP addresses used to monitor and control the infrastructure helped researchers make the assumption that some of the players behind the threat operation are based in at least three countries: China, South Korea and Japan, with the largest number stemming from China.

Kaspersky Lab said all victims have been notified about the infections, and that two have removed it already.

Additional details on the Icefog/Javafog attacks can found on Kaspersky Lab’s Securelist.

Related: Listen to SecurityWeek’s September 2013 Podcast, where Costin Raiu of Kaspersky Lab talks about the global implications of the Icefog APT campaign.

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.