Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Chinese 'Icefog' gang attacks Asian countries using 'hit and run' APTs

John E Dunn | Sept. 30, 2013
Traced to clutch of past attacks

Kaspersky Lab has identified another Chinese APT campaign. Dubbed 'Icefog', the largely Japanese, Taiwanese and South Korean targets included a well-publicised attack on Japan's House of Representatives in 2011.

Kaspersky Lab and others have released a steady stream of research on what is starting to look like a thriving mostly Chinese industry selling hacking expertise and espionage to governments.

In recent weeks, Symantec published a paper on a major hacking-for-hire group it called 'Hidden Lynx' responsible for a large number of attacks while Kaspersky itself has uncovered evidence that North Korea was trying its hand at the same chicanery with its 'Kimsuky' Trojan.

Judging from Kaspersky's latest research, Icefog looks like a smaller player than Hidden Lynx or the notorious Comment Crew/APT1 convincingly blamed for a hugely successful raid on defence contractor QinetiQ.

At first Icefog doesn't look particularly innovative, pivoting on the same collection of tried and trusted spear-phishing and software exploit via email attacks techniques as every other APT campaign yet discovered. The aim is to gather address books, user credentials, and documents, including those created by Office and the South Korean Hangul word processor.

One interesting variation is a 'Macfog' beta variant targeting 64-bit OS X users. Seeded through Chinese bulletin boards to several hundred victims and masquerading as a graphics application, Kaspersky speculates that this might be a test run for a more featured version designed to attack the platform in a future version.

The campaign's defining characteristic is probably its command and control network, which uses a 'hit and run' model to set up an attack before disappearing in a month or two. This is an unusual tactic. Commercial criminals invest a lot of time and effort trying to protect their C&C; Icefog deliberately builds and dismantles it once the attack is over, a technique of obscuring its activities from security researchers.

This also makes it very hard to estimate the extent of Icefog's activity, Kaspersky said. Dating back to 2011 at least, it had a slower year in 2012 before an uptick in 2013, but this could just be another consequence of its temporary C&C design.

"For the past few years, we've seen a number of APTs hitting pretty much all kinds of victims and sectors. In most cases, attackers maintain a foothold in corporate and governmental networks for years, exfiltrating terabytes of sensitive information", said Kaspersky Lab's director of global research, Costin Raiu.

"The 'hit and run' nature of the Icefog attacks demonstrate a new emerging trend: smaller hit-and-run gangs that are going after information with surgical precision. The attack usually lasts for a few days or weeks and after obtaining what they were looking for, the attackers clean up and leave," he said.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.