Icefog Crew Shows You Don’t Need a 100 Person Team to be an APT

Kaspersky Lab has published a report on the activities of a small crew of advanced hackers using custom tools. Kaspersky received assistance from the Korea Internet & Security Agency and Interpol during their investigation.  The team appears to be based in China and has an estimated 10 members. The targets of the team have been been in various industrial sectors; among them military contractors, shipbuilding and maritime operations, research companies, telecom operators, satellite operators, and mass media and television operators. The attacks have been primarily restricted to South Korea and Japan. The attack software used by the group, Icefog, has current versions for both Windows and Macintosh.

The attack methodology of the group has primarily been “spear-phishing”, and in the past they have relied on exploits embedded in Microsoft Office documents, though they have also directed users to Java exploits. In contrast to other APT operators, the Icefog group’s software does not automatically take files from the victim’s machine. The backdoor used is manually directed, and the attackers seem to have some idea what they are looking for with each target, often searching for individual files. After the team has obtained what they want, they abandon the compromised machines and move on to other targets.

Icefog appears to be operating as short term cyber-mercenaries, taking orders for attacks and obtaining requested documents from their targets. Their earliest attacks seem to have begun in 2011. The combination of their small size, their directed and short-term actions, and the use of custom software (although no 0-day attacks were detected by Kaspersky) raises many questions about the future trajectory of actors in the persistent threat arena.  Even if state supported groups with up to a hundred members like the Comment Crew and Hidden Lynx loom largest on the horizon, there should be no doubt that small teams like Icefog and others yet undiscovered are riding close in their wakes.

 

Dan Gifford – MCySec Media Manager