'Icefog' spying operation targeted Japan, South Korea

A hacking group that targeted Japan’s parliament in 2011 is believed to have conducted nimble data thefts against organizations mainly in South Korea and Japan, including defense contractors, over the past two years.

The “Icefog” hackers probed victims one by one, carefully copying select files and then exiting the systems, according to security vendor Kaspersky Lab, which released a 68-page report on the group Wednesday.

“The nature of the attacks was also very focused,” Kaspersky wrote. “In many cases, the attackers already knew what they were looking for.”

Over the past several years, security analysts have noticed an uptick in so-called “advanced persistent threat” (APT) attacks, where interlopers plant stealthy malware on networks for cyber spying.

“In the future, we predict the number of small, focused APT-to-hire groups to grow, specializing in hit-and-run operations, a kind of ‘cyber mercenaries’ of the modern world,” the report said.

Image: Kaspersky Lab

Kaspersky did not name the organizations that were victimized, but did name a few targeted by Icefog. A private report with more information is available to governments, the company said.

Those targeted included the defense contractors Lig Nex1 and Selectron Industrial Company; two shipbuilding companies, DSME Tech and Hanjin Heavy Industries; Korea Telecom, Fuji TV and the Japan-China Economic Association. Kaspersky said the naming of those companies did not imply the Icefog attacks were successful.

Icefog was detected in 2011 after the group targeted Japan’s parliament, and its campaign has continued through this year, Kaspersky said.

Based on where the stolen data was transferred to, Kaspersky wrote the attackers are assumed to be in China, South Korea and Japan.

The hackers target victims by email, sending malicious attachments or links to websites that will attack the victim’s computer if it has software vulnerabilities in programs such as Microsoft Word, Adobe Reader or within the operating system.

Mac OS X systems are also targeted. Kaspersky counted 4,500 IP addresses that were infected, which belonged to more than 430 victims. The Macfog malware, which purported to be a graphics application, popped up late last year on several Chinese-language forums.

“The Mac OS X backdoor currently remains largely undetected by security solutions and has managed to infect several hundred victims worldwide,” the report said.

Once a computer has been compromised, the hackers upload malicious tools and backdoors. They look for email account credentials, sensitive documents and passwords to other systems, Kaspersky said.

After the hackers find what they’re looking for, the Icefog attackers tend to exit the systems.

“The ‘hit and run’ nature of this operation is one of the things that make it unusual,” the report said. “While in other cases, victims remain infected for months or even years, and data is continuously exfiltrated, the Icefog attackers appear to know very well what they need from the victims.”