A loose-knit group of cyberattackers believed to have ties to the Chinese government has infiltrated several U.S. companies using Java-based malware and established a long- term presence.
The latest round of attacks could be a U.S.-specific operation, said researchers at security vendor Kaspersky Lab in a report released Tuesday. The malware, called Javafog, can remain stealthy, maintaining a presence on corporate systems, the Kaspersky researchers said. Until now, the latest attacks from the cybermercenary hacking operation known as Icefog have used hit-and-run-style tactics, abandoning infected systems once data is accessed.
"With Javafog, we are turning yet another page in the Icefog story by discovering another generation of backdoors used by the attackers," according to the report issued by Kaspersky. "We can assume that, based on their experience, the attackers found the Java backdoor to be more stealthy and harder to notice, making it more attractive for long-term operations."
[Related: 10 Security Predictions For 2014 ]
Kaspersky said it tracked successful attacks against an American independent oil and gas corporation with global operations and at least two other U.S.-based companies. All have been informed about the malware and addressed the infected systems, according to Kaspersky.
Resellers and managed security service providers (MSSPs) that work with clients that have ties to larger firms can find themselves targeted by advanced persistent threats, according to solution providers. Ongoing attacks have targeted government contractors, ship-building companies and high-tech manufacturers, but the cybercriminals often choose to first attack smaller partners -- including IT service providers -- to glean information on their ultimate target, said Rob Delevan, information technology consultant at Wasatch I.T., a Kaspersky Lab partner. The attackers can collect email addresses or use the MSSP infrastructure in an attempt to gain access to their ultimate target via a spearphishing email, Delevan said.
"We're seeing cybercriminals going on up the stack to larger enterprises," Delevan said. "It's been talked about for years, but something is finally coming to fruition. A managed service provider can be used to get access to multiple contacts from one source."
Detecting Javafog is difficult, Kaspersky said, with only a handful of firms able to block the malware. The Java malware used in the Javafog campaign exploits a Microsoft Office vulnerability, according to the research.
A successful attack establishes a hidden backdoor into the network, enabling the cybercriminals to control the infected system and download files from it. The attackers can remain persistent on systems for months and sometimes years using a backdoor, say security experts.
When Icefog was first identified last September, the attacks targeted Microsoft Word, Excel documents laced with custom Icefog malware designed to target Oracle Java vulnerabilities, and Microsoft Office flaws. So far the group hasn't been seen targeting zero-day vulnerabilities.
The Icefog operation has been active since 2011 and is believed to be behind six different generations of malware, according to Kaspersky. The research team gained access to 27 of the 72 command-and-control servers operated by the group. Kaspersky researchers also said they identified a native Mac OS X implementation of Icefog called Macfog, believed to have infected several hundred victims globally.
PUBLISHED JAN. 14, 2014
related stories
Video
trending stories
sponsored resources

Cysurance
Cyber Insurance 360

Carbonite
Cloud Storage 360

Application Integration 360

Tenable
Cyber Risk 360

NPD
Industry Trends 360

Channel Chief Showcase

Smart 3rd Party
3rd Party Maintenance 360

Cradlepoint
5g for Business 360

Cato Networks
SASE & SD-WAN 360

Trend Micro
Trend Micro Learning Center

CyberPower
CyberPower

Veeam
Veeam

Comcast Business
Comcast Business Learning Center

Dell Technologies
Dell Technologies Storage Learning Center

Fujifilm
Fujifilm

BlackBerry
BlackBerry Learning Center

Acer
Remote Workforce 360

Webroot
Webroot Learning Center

Comm100
Collaboration & Communications 360

Partner Program Guide Showcase

Dell Technologies
Microsoft HCI Solutions from Dell Technologies Learning Center

Hitachi Vantara
Hitachi Vantara

eSentire
Managed Detection and Response 360

Terranova Security
Cybersecurity 360

N-able
MSP Automation Solutions 360

CRN Showcase

APC by Schneider Electric
Digital Services for Edge Learning Center

Dell Technologies
Dell Technologies Server Learning Center

Dell Technologies
Dell Technologies Cloud Learning Center

Cyber Protection 360

VMware

EPOS
EPOS

Sophos
Sophos Cybersecurity Learning Center

Vonage
Vonage

Sherweb
Sherweb

Vertiv
Edge Computing Learning Center

Wasabi
Wasabi

iboss
Cloud SASE Platform 360
