Home Business IT Security 'Cyber mercenaries' target Japan, South Korea
Kaspersky CEO Eugene Kaspersky Kaspersky CEO Eugene Kaspersky Featured

Security researchers have announced the discovery of a 'cyber mercenary' team which specialises in attacks on targets in Japan and South Korea, with more attacks said to come.

Russian computer security firm Kaspersky today said it has discovered 'Icefog', an Advanced Persistant Threat group apparently based in China that hits the supply chains for Western companies.

Kaspersky said the discovery reveals the emergence of small groups of cyber-mercenaries available for hire to perform surgical hit and run operations, with operations beginning in 2011 and increasing in size and scope over the last few years.

“The ‘hit and run’ nature of the Icefog attacks demonstrate a new emerging trend - smaller hit-and-run gangs that go after information with surgical precision. The attack usually lasts for a few days or weeks and after obtaining what they were looking for, the attackers clean up and leave. In the future, we predict the number of small, focused ‘APT-to-hire’ groups to grow, specialising in hit-and-run operations; a kind of ‘cyber mercenary’ team for the modern world,” Costin Raiu, Director, Global Research & Analysis Team, said.

Kaspersky researchers have sinkholed 13 of the 70+ domains used by the attackers, which helped provide statistics on the number of victims worldwide. In addition, the Icefog command and control servers maintain encrypted logs of their victims together with the various operations performed on them. These logs can sometimes help to identify the targets of the attacks and in some cases, the victims.

Andrew Mamonitis, Kaspersky Lab ANZ’s Managing Director, said that those in the business of cyber-espionage often exploit the most vulnerable entry points by using corporate networks as a platform from which to access other network channels.

“In most cases, auxiliary companies have more relaxed security parameters in place despite holding valuable data about the parent target. It is these secondary business service providers across all levels of the corporate chain which are most vulnerable to external breaches,” he said.

In addition to Japan and South Korea, many sinkhole connections in several other countries were observed, including Australia. In total, Kaspersky Lab observed more than 4,000 unique infected IPs and several hundred victims (a few dozen Windows victims and more than 350 Mac OS X victims).

Based on the list of IPs used to monitor and control the infrastructure, Kaspersky Lab’s experts assume some of the players behind this threat operation are based in at least three countries: China, South Korea and Japan.

Main Findings:

  • Based on the profiles of identified targets, the attackers appear to have an interest in the following sectors: military, shipbuilding and maritime operations, computer and software development, research companies, telecom operators, satellite operators, mass media and television.
  • Research indicates the attackers were interested in targeting defense industry contractors such as Lig Nex1 and Selectron Industrial Company, ship-building companies such as DSME Tech, Hanjin Heavy Industries, telecom operators such as Korea Telecom, media companies such as Fuji TV.
  • The attackers hijack sensitive documents and company plans, e-mail account credentials, and passwords to access various resources inside and outside the victim’s network.
  • During the operation, the attackers use the “Icefog” backdoor set (also known as “Fucobha”). Kaspersky Lab has identified versions of Icefog for both Microsoft Windows and Mac OS X.
  • While in most other APT campaigns, victims remain infected for months or even years and attackers continuously steal data, Icefog operators process victims one by one -- locating  and copying only specific, targeted information. Once the desired information has been obtained, they leave.
  • In most cases, the Icefog operators appear to know very well what they need from the victims. They look for specific filenames, which are quickly identified, and transferred to the C&C.

To read the full report with a detailed description of the backdoors, other malicious tools and stats, together with indicators of compromise, visit Securelist. A complete Icefog FAQ is also available.

FREE CLOUD BACKUPS MANAGEMENT WEBINAR

Are your technicians spending too much time just managing your clients cloud backups?

Backups are an important part of any IT business but they should not consume more than their fair share of time and money.

Discover how to reduce the amount of time & money spent managing your Cloud Backups during this Free Webinar.

REGISTER FOR FREE WEBINAR!

FREE NETWORKING SERVICES CASE STUDY

As one of the world’s largest social networking services, Facebook handles a lot of user information, and requires input from an astounding range of stakeholders 24 hours a day, 7 days a week — from both inside and outside the business.

Discover how Facebook was helped to connect remote employees, vendors, consultants, and partners to applications and web services quickly and reliably - without risking sensitive data.

GET CASE STUDY!

GET THE IT BUDGET YOU WANT

Explore your Network Treasure Trove to get the IT Budget you want

With Australian businesses projected to spend over $78.7 Billion why does it feel like you can never get the budget you need?.

In most cases your budget will get approved because the proposals are not only technically correct, but also provide good, credible evidence on how the spend aligns with key business objectives.

Did you know that your Network Monitoring tool can help you build a comprehensive business case without an MBA?

HERE ARE 8 TIPS TO GET THE IT BUDGET YOU WANT.

CLICK HERE!

David Swan

David Swan is a tech journalist from Melbourne and is iTWire's Associate Editor. Having started off as a games reviewer at the age of 14, he now has a degree in Journalism from RMIT (with Honours) and owns basically every gadget under the sun.

Connect

 

 

 

 

Join the iTWire Community and be part of the latest news, invites to exclusive events, whitepapers and educational materials and oppertunities.
Why do I want to receive this daily update?
  • The latest features from iTWire
  • Free whitepaper downloads
  • Industry opportunities