Icefog – Kaspersky discovered the group of cyber mercenaries

Pierluigi Paganini September 27, 2013

Kaspersky Lab discovered the emerging group of cyber-mercenaries Icefog available for hire to perform surgical hit and run operations against strategic targets.

Researchers at Kaspersky Lab sustain to have identifies a group of cyber mercenaries called Icefog that is responsible for a huge cyber espionage campaign, occurred in 2011, against Japanese parliament and dozens of government agencies and strategic companies in Japan and South Korea.

The cyber mercenaries are recruited by governments and private companies and according Kaspersky experts the group is composed by high skilled hackers able to conduct sophisticated attacks.

“What we have here is the emergence of small groups of cyber-mercenaries available to perform targeted attacks,”  “We actually believe they have contracts, and they are interested in fulfilling whatever the contract requirements are,” declared Kaspersky’s research director, Costin Raiu, in an interview with Reuters.

The name “Icefog” derived from a string used in the command-and-control server name found in one of the malware samples.

The principal targets of Icefog group are governments and military institutions, Icefog is an advanced persistent threat conducted by independent entities that targeted high-profile victims and stealthily infiltrate their networks to steal sensitive data.  This APT represents a novelty because hackers do not belong, unlike when it happens in the most previous campaigns, to government cyber units. The Icefog group counts among its victims media companies, telecomoperators, satellite operators and defense contractors including Selectron Industrial Co. which supplies US-designed components for defense and industrial customers in Korea, Japan and elsewhere.

Kaspersky released a detailed report on the Icefog operations, its researchers localized and analyzed the command and control servers used by the attackers describing the techniques adopted, identifying the victims of the attacks and the information gathered. Based on the list of IPs used to control the infrastructure the Kaspersky Lab specialists revealed that some of the attackers are either based in China, South Korea, Japan.

Following the graphs related to the distribution of backdoor respectively for Windows-based machine and Mac PC.

Icefog APT number of hitsJPG Window



Icefog APT number of hitsJPG Mac



The Icefog group relies on spear-phishing and exploits for known vulnerabilities, as usual they used social engineering techniques to deceive victims.  The lure documents used in the attacks are specifically crafted for the victims proposing content of interest.

The Icefog team is a persistent collector of sensitive information, it has stolen sensitive documents, company blueprints, e-mail account and corporate services. The Icefog team used its backdoor set, dubbed “Fucobha”, including exploits for both Microsoft Windows and Mac OS X.

The Kaspersky experts highlighted the “hit and run” nature of the Icefog operations that appears unusual, different from almost APT campaigns in which victims remain infected for a long period, the attackers are processing victims rapidly and in a surgical manner, stealing only information of interest. The analysis of C&C revealed that Icefog hackers have a deep knowledge of the victims and the information they search for.

“Once the desired information is obtained, they abandon the infection and move on.”

More victims than Japan and Korea are China, the U.S., Australia, Canada, the U.K., Italy, Germany, Austria, Singapore, Belarus and Malaysia, Kaspersky observed more than 4,000 uniquely infected IPs and several hundred victims.

What do we expect from the next future?

“For the past few years, we’ve seen a number of APTs hitting pretty much all types of victims and sectors. In most cases, attackers maintain a foothold in corporate and governmental networks for years, smuggling out sensitive information,” The attack usually lasts for a few days or weeks and after obtaining what they are looking for, the attackers clean up and leave. In the future, we predict the number of small, focused ‘APT-to-hire’ groups to grow, specializing in hit-and-run operations; a kind of ‘cyber mercenary’ team for the modern world,” declared Raiu

Pierluigi Paganini

(Security Affairs –  Icefog, cyber espionage, APT)

you might also like

leave a comment