Kaspersky Lab Expert Analyses APT Icefog

Press release - Petaling Jaya, October 18, 2013

Kaspersky Lab’s security research team recently published a research paper on the discovery of the Icefog cyber-espionage campaign which is described as a small yet energetic Advanced Persistent Threat (APT) group that focuses on hitting the supply chain of Western companies in South Korea and Japan. Sinkhole connection in Malaysia and Singapore were also observed. The operation started in 2011 and has increased in size and scope over the last few years.

“Icefog is different. The ‘hit and run’ nature of the Icefog attacks demonstrate a new emerging trend, of smaller hit-and-run gangs that go after information with surgical precision. The attack usually lasts for a few days or weeks rather than the months or years of more traditional APTs. After obtaining what they were looking for, the Icefog attackers clean up and leave. In the future, we predict the number of small, focused ‘APT-to-hire’ groups to grow, specializing in hit-and-run operations; a kind of ‘cyber mercenary’ team for the modern world,” Mr. Molsner explained; Mr. Michael Molsner, a member of the Global Research & Analysis Team who is based in Japan, and who is part of the team credited with discovering and analyzing the Icefog APT.

The source of attacks were predicted to have been originated from China, South Korea and Japan.

The Key Findings of Icefog Attacks:
Mr. Michael Molsner
  • The attackers rely on spear-phishing and exploits for known vulnerabilities (eg. CVE-2012-0158, CVE-2012-1856, CVE-2013-0422 and CVE-2012-1723).
  • The attackers are hijacking sensitive documents and company plans, e-mail account credentials, and passwords to access various resources inside and outside the victim’s network.
  • During the operation, the attackers are using the “Icefog” backdoor set (also known as “Fucobha”). Kaspersky Lab identified versions of Icefog for both Microsoft Windows and Mac OS X.

In total, Kaspersky Lab observed more than 4,000 unique infected IPs and several hundred victims (a few dozen Windows victims and more than 350 Mac OS X victims).

Original reference.

Faris Zakaria
Tel: 03.8075.6000 Mobile: 017.574.3840
E-mail: faris.zakaria@aboutcom.com.my