Kaspersky Lab in September 2013 announced to have discovered Icefog team, an emerging group of cyber-mercenaries available for hire to conduct surgical hit and run operations against strategic targets. The cyber mercenaries are recruited by governments and private companies and according to Kaspersky experts, the group is composed of high skilled hackers able to conduct sophisticated attacks.
“What we have here is the emergence of small groups of cyber-mercenaries available to perform targeted attacks,” “We actually believe they have contracts, and they are interested in fulfilling whatever the contract requirements are,” declared Kaspersky’s research director, Costin Raiu, in an interview with Reuters.
The Icefog team is a persistent collector of sensitive information, Kaspersky team detected a series of APT attacks against the defense supply chain (e.g. Military contractors, shipbuilders, satellite operators, high-tech companies ) Japan and South Korea.
The Icefog team attacked victims with an own backdoor set, dubbed “Fucobha”, which included exploits for both Microsoft Windows and Mac OS X.
The “hit and run” nature of the Icefog operations appeared unusual, different from almost APT campaigns in which victims remain infected for a long period, the attackers are processing victims rapidly, stealing only information of interest and showing a deep knowledge of the victims and the information they search for.
Icefog Team went dark after just after the revelation on Kaspersky investigation in September, the experts at Kaspersky Lab continued their analysis digging into domains used in the attack that had been sinkholed by the security company to discover the extension of the infection and localize the victims of the attack through the connection that malicious agents do versus the Command and Control servers.
New revelations appear very interesting, the attackers also used a Java version of the campaign to target three oil and gas companies in the United States. It’s not a surprise that the energy sector is under constant cyber attacks, in the last months numerous alerts were issued by US authorities, including the DHS. The excellent work of the Kaspersky Lab team has confirmed it, the three companies involved were already notified, and to have adopted the necessary measured to sanitize their systems.
The schema of attack appears consolidated, victims within these companies were likely duped by a spear phishing email that contained an Office exploit.
Once lured the victims, the Icefog group launched the Java backdoor, dubbed Javafog, a malicious code that also referred a new command and control for backdoor communication.
“In one particular case, we observed the attack commencing by exploiting a Microsoft Office vulnerability, followed by the attackers attempting to deploy and run Javafog, with a different C&C. We can assume that based on their experience, the attackers found the Java backdoor to be more stealthy and harder to notice, making it more attractive for long term operations. (Most Icefog operations being very short – the “hit and run” type).” reported Kaspersky in a blog post on SecureList.
According experts at Kaspersky the Javafog backdoor could indicate that the Icefog mercenaries were running a US-specific operation, according the analysis on the backdoor used the team was preparing a long-term cyber espionage campaign.
“The focus on the US targets associated with the only known Javafog C&C could indicate a US-specific operation run by the Icefog attackers; one that was planned to take longer than usual, such as, for instance, long-term collection of intelligence on the target,” “This brings another dimension to the Icefog gang’s operations, which appear to be more diverse than initially thought.” reported the Kaspersky report.
In October when Kaspersky Lab took over an Icefog domain called lingdona[.]com (which expired in September 2013) hosted in Hong Kong, it matched other known Icefog domains and first analysis revealed that it began receiving connections every 10 seconds from a Javafog, a new turn since other variants used IE User-Agent strings.
Security experts unable to find a malware sample connecting to above domain, they were able to find a URL submitted to a public JSUNPACK service that was hosted on “sejonng[dot]org” and “starwars123[dot]net”, two known Icefog domains that referenced a Java applet called policyapplet.jar. The researchers decoded a long hexadecimal string parameter tagged to policyapplet reference and found another Java applet with a main class JavaTool.class that was compiled in 2010.
Once installed on victims the backdoor latches onto the computer’s registry for persistence at start-up and then begins connecting to C&C server lingdona[.]com/news sending system information.
If the attackers consider the infected machine as a target of value, they can then send back any number of commands, ordering to the backdoor to upload local files (upload_*), migrate to a new command and control server URL (cmd_UpdateDomain), or execute a string specified and upload the results(cmd_*).
The US operation was small involving eight IPs belonging to the three U.S. oil and gas companies’ victims of the Icefog attacks and connected to the lingdona domain. The researchers noted as well that two of the victims updated Java from Java 1.7 update 25 to update 45.
No doubts that we will read again in the next future on the Icefog team.
(SecurityAffairs – Icefog APT, cyber espionage)