Hunting the ICEFOG APT group after years of silence

Pierluigi Paganini June 08, 2019

A security researcher found new evidence of activities conducted by the ICEFOG APT group, also tracked by the experts as Fucobha.

Chi-en (Ashley) Shen, a senior security researcher at FireEye, collected evidence that demonstrates that China-linked APT group ICEFOG (aka Fucobha) is still active.

The activities of the APT group were first uncovered by Kaspersky Lab in September 2013, at the time the researchers defined the crew as an emerging group of cyber-mercenaries that was able to carry out surgical hit and run operations against strategic targets.  The cyber mercenaries were recruited by governments and private companies, it was composed of highly skilled hackers able to conduct sophisticated attacks.

The APT group is considered a persistent collector of sensitive information, Kaspersky team detected a series of attacks against the defense supply chain (e.g. Military contractors, shipbuilders, satellite operators, high-tech companies ) in Japan and South Korea.

The Icefog team also targeted companies in the energy industry in the US, threat actors used a custom backdoor dubbed “Fucobha”, which included exploits for both Microsoft Windows and Mac OS X.

At the time the “hit and run” nature of the operations appeared unusual, the attackers were processing victims rapidly, stealing only information of interest and showing a deep knowledge of the targets and the information they were searching for.

The group of hackers went dark just after the Kaspersky shared findings of its investigation in September 2013.

This week, Chi-en (Ashley) Shen presented at the CONFidence cybersecurity conference held in Poland her analysis on new samples of malware associated with the ICEFOG group.

Two of them, tracked as ICEFOG-P and ICEFOG-M, have been used in targeted attacks in 2014 and 2018, respectively. Some samples for both variants have been compiled between 2014 and 2019.


Both ICEFOG-P and ICEFOG-M are more complex of the original backdoor, a circumstance that suggests the threat actors have continued to develop and use it.

ICEFOG-M is the latest variant, it is a fileless malware that supports the same features of the ICEFOG-P but leverages HTTPs for communications.

The researchers explained that the ICEFOG-P variant is not particularly complex, it remained under the radar simply because was rarely used.

The researcher also spotted a Mac version of the malware, tracked as MacFog) that was unknown in the cyber security community. MacFog was initially distributed in Chinese forums

Unlike the operations observed between 2011 and 2013, the new malware variants were involved in multiple campaigns conducted by different groups,

Shen spotted variants of the ICEFOG malware in attacks targeting:

  • an unnamed agriculture company in Europe in 2015
  • government, media, and finance organizations in Russia and Mongolia in 2015 (TOPNEWS campaign)
  • the government of multiple former Soviet states in 2015 (Roaming Tiger)
  • Kazach officials in 2016 (APPER campaign)
  • water source provider, banks, and government entities in Turkey, India, Kazakhstan, Uzbekistan, and Tajikistan in 2018 (WATERFIGHT campaign)
  • an unknown entity in the Philippines in 2018 (PHKIGHT campaign)
  • organizations in Turkey and Kazakhstan in 2018 and 2019 (SKYLINE campaign)

In the latest campaign in 2019, tracked as SKYLINE Campaign, hackers targeted Turkey and Kazakhstan, the timestamp suggests the campaign might have been active at least since 2018. Attackers leveraged CVE 2017-11882 shared exploit template and used a fileless version of the ICEFOG-M.

icefog attacks timeline

According to Shen, most samples were mainly involved in cyber espionage campaign, threat actors appear to be politically motivated.

Below the conclusions of the excellent analysis conducted by Shen:

  • ICEFOG is malware shared among Roaming Tiger, APT15, Temp Group A and suspected APT9.
  • Shared malware is a pitfall for attribution, we should not do attribution only based on malware.
  • Temp Group A is aggressively using ICEFOG-P and ICEFOG-M to target Russia, Kazakhstan, Tajikistan, Uzbekistan and Turkey.
  • With the file-less ICEFOG-M, host-based detection for payloads are more difficult.
  • Continued development indicates there could be more attacks leveraging ICEFOG in future campaigns, and possibly leveraged by more attackers
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – cyberespionage, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment