Kaspersky Lab has published a detailed report on Icefog, a sophisticated cyber espionage campaign that targets high-profile organizations, mainly from South Korea and Japan. The name of this advanced persistent threat (APT) stems from a string used in the C&C name of a malware sample.
According to Kaspersky, military contractors, government organizations, telecom operators, maritime and ship-building groups, mass media, industrial and high-tech companies and satellite operators have been targeted since 2011.
Among the targeted organizations, Kaspersky has named Lig Nex1, DSME Tech, Fuji TV, Korea Telecom, Selectron Industrial Company, the Japanese Parliament and the Japan-China Economic Association.
What’s interesting about the Icefog campaign is that the cybercriminals appear to know exactly what they want from their victims. They infiltrate the systems, look for the data they want, and steal it. Once this is done, the target is abandoned.
The attacks start with spear phishing emails that contain attachments or links to malicious websites. The files attached to emails are maliciously crafted Microsoft Word and Excel documents that exploit several known vulnerabilities in an effort to push a piece of malware onto the targeted systems.
In addition, Java exploits, malicious Hangul Word Processor files and HLP files are also utilized. Researchers have not spotted any zero-day vulnerabilities being exploited in the campaign.
Once the Icefog malware infects a machine, it starts uploading basic system information to command and control servers. The backdoor allows the attackers to execute commands and download the additional tools they need to steal the information they’re after.
It’s worth noting that the cybercriminals are manually processing each victim. The data theft process is not automated as in many other APT campaigns. In most cases, sensitive documents and company plans, email account credentials, and access passwords to various resources are targeted.
Six variants of the Icefog malware have been uncovered so far. The threats target both Windows and Mac OS X machines. The precise number of victims is difficult to determine. However, researchers have spotted over 350 Mac OS X victims and several dozen Windows victims.
Although most of the victims are based in Japan and South Korea, some infections have been spotted in Taiwan, Hong Kong, China, the US, Australia, Canada, Italy, Austria, Germany, the UK, Belarus, Malaysia, and Singapore.
Kaspersky says there’s no concrete evidence that a nation-state is behind the campaign. As far as attribution is concerned, they haven’t publicly named anyone. However, the company is offering some information in a private report to government and law enforcement agencies.
Currently, the campaign is still active.
A complete report on Icefog is available on Kaspersky’s website.