"There are both Windows and OS X variants of Icefog. The Windows machines are infected through "hit and run" targeted attacks. The attackers come, steal what they want and leave. The Mac OS X machines were infected through a different method in what appeared to be a "beta testing" phase of the Mac OS X backdoor."
The post exploitation nature of the attack, as well as the focused list of targets and victims, has led Kaspersky to classify Icefog as an APT event, particularly because the exfiltration of files isn't automated, as the attackers process victims one-by-one and are selective about what information is stolen.
"For the past few years, we've seen a number of APTs hitting pretty much all types of victims and sectors. In most cases, attackers maintain a foothold in corporate and governmental networks for years, smuggling out terabytes of sensitive information," said Costin Raiu, the Director of Kaspersky's Global Research & Analysis Team.
"The 'hit and run' nature of the Icefog attacks demonstrate a new emerging trend: smaller hit-and-run gangs that go after information with surgical precision. The attack usually lasts for a few days or weeks, and after obtaining what they were looking for, the attackers clean up and leave."
A published report on Icefog is available online.
Sign up for CIO Asia eNewsletters.