A targeted attack campaign uncovered by Kaspersky Lab may highlight the emergence of a cadre of "cybermercenaries," or for-hire hackers, willing to hack into foreign government agencies and corporate networks to steal data on behalf of a country.
Kaspersky Lab researchers said the targeted attack campaign, called Icefog, is believed to have ties to the Chinese government and has been in existence since 2011. It has been targeting government contractors, shipbuilding companies and high-tech manufacturers in Japan and South Korea. The campaign is seen as unusual in that the hacking group conducts hit-and-run attacks, gaining access to victims' systems and then abandoning them once the information is stolen, rather than maintaining a presence for months or years.
"While in other cases, victims remain infected for months or even years, and data is continuously exfiltrated, the Icefog attackers appear to know very well what they need from the victims. Once the information is obtained, the victim is abandoned," Kaspersky Lab said in its Icefog APT (.pdf) report analyzing the attacks. "We predict the number of small, focused APT-for-hire groups to grow, specializing in hit-and-run operations, a kind of 'cyber-mercenaries' of the modern world."
The targeted attacks are carried out using spearphishing emails, mainly Microsoft Word and Excel documents laced with custom-made malware designed to target Oracle Java vulnerabilities and Microsoft Office flaws. The group is not using zero-day exploits, Kaspersky said.
Kaspersky added that despite its use of Microsoft documents in phishing attacks, the Icefog group has both Windows and Mac malware at their disposal. The security researchers said that the bulk of successful attacks are aimed at PC users, but a review of the command and control server data shows "several hundred" Mac infections, which have not been detected by security software.
Kaspersky researchers have been steadily releasing analysis on newly identified targeted attack campaigns. A recent analysis on the NetTravelor surveillance attacks revealed that the campaign has been in existence for nearly a decade, infecting systems in at least 40 countries. The firm's research in January on the Red October attacks uncovered a sophisticated campaign that was used to steal data from a wide variety of government, scientific and energy sector organizations. The advanced persistent threat rivaled the Flame and Gauss/Tilded cyberespionage attacks uncovered in 2012.
Kaspersky said the Icefog campaign use some of the same tactics identified by security firm Mandiant in its report on a China-based hacking group known as APT1. Those hackers use Microsoft HLP files to manipulate Windows help features and drop malware, Kaspersky said.
The attackers nab information about the victim and their network, stealing account credentials, saved passwords in Internet Explorer and email account credentials from Outlook. Some of the stolen data included Windows address books, document and spreadsheet files and other data stored on the victim's system.
Early attackers sent the stolen data by email, but the newer version of the attacks send compressed, encrypted files to remote command and control servers where researchers found a string of characters with the Icefog name.
PUBLISHED SEPT. 26, 2013