Hackers Hit Three Large U.S. Firms, Smaller MSSPs Should Be On Alert

A loose-knit group of cyberattackers believed to have ties to the Chinese government has infiltrated several U.S. companies using Java-based malware and established a long- term presence.

The latest round of attacks could be a U.S.-specific operation, said researchers at security vendor Kaspersky Lab in a report released Tuesday. The malware, called Javafog, can remain stealthy, maintaining a presence on corporate systems, the Kaspersky researchers said. Until now, the latest attacks from the cybermercenary hacking operation known as Icefog have used hit-and-run-style tactics, abandoning infected systems once data is accessed.

"With Javafog, we are turning yet another page in the Icefog story by discovering another generation of backdoors used by the attackers," according to the report issued by Kaspersky. "We can assume that, based on their experience, the attackers found the Java backdoor to be more stealthy and harder to notice, making it more attractive for long-term operations."

[Related: 10 Security Predictions For 2014 ]

Kaspersky said it tracked successful attacks against an American independent oil and gas corporation with global operations and at least two other U.S.-based companies. All have been informed about the malware and addressed the infected systems, according to Kaspersky.

Resellers and managed security service providers (MSSPs) that work with clients that have ties to larger firms can find themselves targeted by advanced persistent threats, according to solution providers. Ongoing attacks have targeted government contractors, ship-building companies and high-tech manufacturers, but the cybercriminals often choose to first attack smaller partners -- including IT service providers -- to glean information on their ultimate target, said Rob Delevan, information technology consultant at Wasatch I.T., a Kaspersky Lab partner. The attackers can collect email addresses or use the MSSP infrastructure in an attempt to gain access to their ultimate target via a spearphishing email, Delevan said.

"We're seeing cybercriminals going on up the stack to larger enterprises," Delevan said. "It's been talked about for years, but something is finally coming to fruition. A managed service provider can be used to get access to multiple contacts from one source."

Detecting Javafog is difficult, Kaspersky said, with only a handful of firms able to block the malware. The Java malware used in the Javafog campaign exploits a Microsoft Office vulnerability, according to the research.

A successful attack establishes a hidden backdoor into the network, enabling the cybercriminals to control the infected system and download files from it. The attackers can remain persistent on systems for months and sometimes years using a backdoor, say security experts.

When Icefog was first identified last September, the attacks targeted Microsoft Word, Excel documents laced with custom Icefog malware designed to target Oracle Java vulnerabilities, and Microsoft Office flaws. So far the group hasn't been seen targeting zero-day vulnerabilities.

The Icefog operation has been active since 2011 and is believed to be behind six different generations of malware, according to Kaspersky. The research team gained access to 27 of the 72 command-and-control servers operated by the group. Kaspersky researchers also said they identified a native Mac OS X implementation of Icefog called Macfog, believed to have infected several hundred victims globally.

PUBLISHED JAN. 14, 2014