The activities of the APT group were first uncovered by Kaspersky Lab in September 2013, at the time the researchers defined the crew as an emerging group of cyber-mercenaries that was able to carry out surgical hit and run operations against strategic targets. The cyber mercenaries were recruited by governments and private companies, it was composed of highly skilled hackers able to conduct sophisticated attacks.
The APT group is considered a persistent collector of sensitive information, Kaspersky team detected a series of attacks against the defense supply chain (e.g. Military contractors, shipbuilders, satellite operators, high-tech companies ) in Japan and South Korea.
The Icefog team also targeted companies in the energy industry in the US, threat actors used a custom backdoor dubbed “Fucobha”, which included exploits for both Microsoft Windows and Mac OS X.
At the time the “hit and run” nature of the operations appeared unusual, the attackers were processing victims rapidly, stealing only information of interest and showing a deep knowledge of the targets and the information they were searching for.
The group of hackers went dark just after the Kaspersky shared findings of its investigation in September 2013.
This week, Chi-en (Ashley) Shen presented at the CONFidence cybersecurity conference held in Poland her analysis on new samples of malware associated with the ICEFOG group.
Two of them, tracked as ICEFOG-P and ICEFOG-M, have been used in targeted attacks in 2014 and 2018, respectively. Some samples for both variants have been compiled between 2014 and 2019.
Both ICEFOG-P and ICEFOG-M are more complex of the original backdoor, a circumstance that suggests the threat actors have continued to develop and use it.
ICEFOG-M is the latest variant, it is a
The researchers explained that the ICEFOG-P variant is not particularly complex, it remained under the radar simply because was rarely used.
The researcher also spotted a Mac version of the malware, tracked as MacFog) that was unknown in the cyber security community. MacFog was initially distributed in Chinese forums
Unlike the operations observed between 2011 and 2013, the new malware variants were involved in multiple campaigns conducted by different groups,
Shen spotted variants of the ICEFOG malware in attacks targeting:
In the latest campaign in 2019, tracked as SKYLINE Campaign, hackers targeted Turkey and Kazakhstan, the timestamp suggests the campaign might have been active at least since 2018. Attackers leveraged CVE 2017-11882 shared exploit template and used a
According to Shen, most samples were mainly involved in cyber espionage campaign, threat actors appear to be politically motivated.
Below the conclusions of the excellent analysis conducted by Shen: