Press Release

Kaspersky Lab Exposes “Icefog”: A New Cyber-espionage Campaign Focusing on Supply Chain Attacks

New trend: the emergence of small groups of cyber-mercenaries available for hire to perform surgical hit and run operations

Woburn, MA – September 25, 2013--Kaspersky Lab’s security research team today announced at Billington CyberSecurity's 4th Annual Cybersecurity Summit and published a new research paper about the discovery of “Icefog,” a small yet energetic Advanced Persistent Threat (APT) group that focuses on targets in South Korea and Japan, hitting the supply chain for Western companies. The operation started in 2011 and has increased in size and scope over the last few years.

“For the past few years, we’ve seen a number of APTs hitting pretty much all types of victims and sectors. In most cases, attackers maintain a foothold in corporate and governmental networks for years, smuggling out terabytes of sensitive information,” said Costin Raiu, Director, Global Research & Analysis Team. “The ‘hit and run’ nature of the Icefog attacks demonstrate a new emerging trend: smaller hit-and-run gangs that go after information with surgical precision. The attack usually lasts for a few days or weeks and after obtaining what they were looking for, the attackers clean up and leave. In the future, we predict the number of small, focused ‘APT-to-hire’ groups to grow, specializing in hit-and-run operations; a kind of ‘cyber mercenary’ team for the modern world.”

Main Findings:
- Based on the profiles of identified targets, the attackers appear to have an interest in the following sectors: military, shipbuilding and maritime operations, computer and software development, research companies, telecom operators, satellite operators, mass media and television.

- Research indicates the attackers were interested targeting defense industry contractors such as Lig Nex1 and Selectron Industrial Company, ship-building companies such as DSME Tech, Hanjin Heavy Industries, telecom operators such as Korea Telecom, media companies such as Fuji TV and the Japan-China Economic Association.

- The attackers hijack sensitive documents and company plans, email account credentials, and passwords to access various resources inside and outside the victim’s network.

- During the operation, the attackers use the Icefog backdoor set (also known as “Fucobha”). Kaspersky Lab has identified versions of Icefog for both Microsoft Windows and Mac OS X.

- While in most other APT campaigns, victims remain infected for months or even years and attackers continuously steal data, Icefog operators process victims one by one, locating and copying only specific, targeted information. Once the desired information has been obtained, they leave.

- In most cases, the Icefog operators appear to know very well what they need from the victims. They look for specific filenames, which are quickly identified, and transferred to the C&C.

The Attack & Functionality
Kaspersky researchers have sinkholed 13 of the 70+ domains used by the attackers. This provided statistics on the number of victims worldwide. In addition, the Icefog command and control servers maintain encrypted logs of their victims together with the various operations performed on them. These logs can sometimes help to identify the targets of the attacks and in some cases, the victims. In addition to Japan and South Korea, many sinkhole connections in several other countries were observed, including Taiwan, Hong Kong, China, the USA, Australia, Canada, the UK, Italy, Germany, Austria, Singapore, Belarus and Malaysia. In total, Kaspersky Lab observed more than 4,000 unique infected IPs and several hundred victims (a few dozen Windows victims and more than 350 Mac OS X victims).

Based on the list of IPs used to monitor and control the infrastructure, Kaspersky Lab’s experts assume some of the players behind this threat operation are based in at least three countries: China, South Korea and Japan.

Kaspersky Lab’s products detect and eliminate all variants of Icefog malware.

To read the full report with a detailed description of the backdoors, other malicious tools and stats, together with indicators of compromise, see Securelist. A complete Icefog FAQ is also available.

About Kaspersky Lab
Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 15-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com.

Securelist | Information about Viruses, Hackers and Spam
Follow @Securelist on Twitter

Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter

Media Contacts
Susan Rivera
781.503.5211
Susan.rivera@kaspersky.com

*The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2011. The rating was published in the IDC report "Worldwide Endpoint Security 2012–2016 Forecast and 2011 Vendor Shares (IDC #235930, July 2012). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2011.