Enterprise -> Technology
Released: 26th September 2013
Today Kaspersky Lab’s research team published a new report on the discovery of ‘Icefog’, a small yet energetic APT (Advanced Persistent Threat) group that focuses on targets in South Korea and Japan, hitting the supply chain for Western companies. The operation started in 2011 and has increased in size and scope over the last few years. The report shows a new trend - the emergence of small groups of ‘cyber-mercenaries’ available for hire to perform ‘surgical’ hit and run operations.
“For the past few years, we’ve seen a number of APTs hitting pretty much all kinds of victims and sectors. In most cases, attackers maintain a foothold in corporate and governmental networks for years, exfiltrating terabytes of sensitive information”, said Costin Raiu, Director, Global Research & Analysis Team at Kaspersky Lab. “The “hit and run” nature of the Icefog attacks demonstrate a new emerging trend: smaller hit-and-run gangs that are going after information with surgical precision. The attack usually lasts for a few days or weeks and after obtaining what they were looking for, the attackers clean up and leave. In the future, we predict the number of small, focused “APT-to-hire” groups to grow, specialising in hit-and-run operations; sort of ‘cyber mercenaries’ of the modern world.
The Attack & Functionality
Kaspersky researchers have sinkholed 13 of the more than 70 domains used by the attackers. This provided statistics on the number of victims worldwide. In addition, the Icefog command and control servers maintain encrypted logs of the victims together with the various operations performed on them by the operators. These logs can sometimes help to identify the targets of the attacks and in some cases, the victims. In addition to Japan and South Korea, many sinkhole connections in several other countries were observed, including Taiwan, Hong Kong, China, USA, Australia, Canada, UK, Italy, Germany, Austria, Singapore, Belarus and Malaysia. In total, Kaspersky Lab observed more than 4000 unique infected IPs and several hundred victims (a few dozen Windows victims and more than 350 Mac OS X victims).
Based on the list of IPs used to monitor and control the infrastructure, Kaspersky Lab’s experts assume some of the threat actors behind this operation are based in at least three countries: China, South Korea and Japan.
Kaspersky Lab’s products detect and eliminate all variants of this malware.
About Kaspersky Lab
Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 15-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at www.kaspersky.co.uk.
Published by: IT Analysis Communications Ltd.
T: +44 (0)190 888 0760 | F: +44 (0)190 888 0761