Cyber mercenaries 'hit and run' warning after Kaspersky Icefog hacker discovery

Report from Kaspersky details 'advanced persistent threat' from group mainly targeting South Korea and Japan

Kaspersky has discovered ‘Icefog', a hacking campaign that targets the supply chains of Western companies, a report by the security and anti-virus software solutions provider has revealed, as it warns about the growing threat of "cyber-mercenaries".

Described as a small yet energetic advanced persistent threat (APT) group, Icefog mainly focuses on targets in South Korea and Japan. Government institutions, military contractors, maritime and ship-building groups, telecom operators, satellite operators, industrial and high technology companies and the media have all fallen victim to the group, which Kaspersky has been tracking since 2011.

The main reason for the cyber attacks by Icefog appears to be the theft of data, with corporate documents, email accounts and passwords all stolen in order to access sensitive information.

The campaign has been dubbed Icefog after the name of a string used in the command-and-control server (C&C) used in one of the malware samples examined by Kaspersky. The exploit allows hackers to control infected systems, allowing cyber criminals to manually steal specific data from targeted systems.

Kaspersky said that the attacks are very "hit and run" in nature, with the hackers very aware of what information needs to be taken, and abandoning the victim once everything required had been stolen. That's different to other cases of APT attacks in which victims systems remain infected for months or even years.

Icefog acquires its targets through the use of spear-phishing via emails containing malicious links or attachments. One example given by Kaspersky showed how some users were lured into running the malware by downloading infected pornographic images.

Once installed, the malware targeted exploits in Microsoft Word and Excel, allowing the hacker to access systems. Icefog is also known to target Mac OS X based systems and while Kaspersky "suspects" there is an Android version, it has not yet been able to find it.

"For the past few years, we've seen a number of APTs hitting pretty much all kinds of victims and sectors. In most cases, attackers maintain a foothold in corporate and governmental networks for years, exfiltrating terabytes of sensitive information," said Costin Raiu, director of the Global Research & Analysis Team at Kaspersky Lab.

"The 'hit and run' nature of the Icefog attacks demonstrate a new emerging trend: smaller hit-and-run gangs that are going after information with surgical precision," he continued, describing Icefog as part of a growing problem of cyber mercenaries.

"The attack usually lasts for a few days or weeks and after obtaining what they were looking for, the attackers clean up and leave. In the future, we predict the number of small, focused 'APT-to-hire' groups to grow, specialising in hit-and-run operations; sort of ‘cyber mercenaries' of the modern world," said Raiu.