Here are answers to the most frequently asked questions related to Icefog, an APT operation targeting entities in Japan and South Korea.
Icefog refers to a cyber-espionage campaign that has been active at least since 2011. It targets governmental institutions, military contractors, maritime and ship-building groups, telecom operators, satellite operators, industrial and high technology companies and mass media, mainly in South Korea and Japan. It is likely that the crew targets organizations in the Western world as well, like the U.S. and Europe.
At the moment, we are not disclosing the names of the victims. Kaspersky Lab is in contact with the targeted organizations as well as government entities in order to help them identify and eradicate the infections.
Our technical research indicates the attackers were interested in targeting a number of entities, mainly in South Korea, Taiwan and Japan. These include defense industry contractors such as Lig Nex1 and Selectron Industrial Company, shipbuilding companies such as DSME Tech, Hanjin Heavy Industries, telecom operators such as Korea Telecom, media companies such as Fuji TV and the Japan-China Economic Association.
The fact that the organizations above were targeted does not imply the attacks were also successful. Kaspersky Lab is in contact with the targeted organizations as well as government entities in order to help them identify and eradicate the infections.
As usual, it-s difficult to get an accurate estimate of the number of victims. We are only seeing part of the full picture, which shows several dozen Windows victims and more than 350 Mac OS X victims. It-s important to point out that the vast majority of Mac OS X victims (95%) are in China.
The name "Icefog" comes from a string used in the command-and-control server (C&C) name of one of the malware samples we analyzed. We also confirmed that the C&C software is named "Dagger Three" ("尖刀三号") when translated from the Chinese language.
For martial arts fans, "尖刀三号" is similar to "三尖刀", which is an ancient Chinese weapon.
Note: Another name for the backdoor used in these attacks is "Fucobha".
At its core, Icefog is a backdoor that serves as an interactive espionage tool that is directly controlled by the attackers. It does not automatically exfiltrate data but is instead manually operated by the attackers to perform actions directly on the infected live systems. During Icefog attacks, several other malicious tools and backdoors are uploaded to the victims' machines for lateral movement and data exfiltration.
Icefog is distributed to targets via spear-phishing e-mails which can either have attachments or links to malicious websites. The attackers embed exploits for several known vulnerabilities (eg. CVE-2012-1856 and CVE-2012-0158) into Microsoft Word and Excel documents. Once these files are opened by the target, a backdoor is dropped onto the system and a decoy document is then showed to the victim.
Lure document shown to the victim upon successful execution of the exploit.
In addition to Office documents, the attackers use malicious pages with JAVA exploits (CVE-2013-0422 and CVE-2012-1723) and malicious HWP and HLP files.
Note 1: Oracle had released the patches for both JAVA exploits on Jan 20, 2013 and June 12, 2012 respectively.
Note 2: "HWP" are document files used by Hangul Word Processor. According to Wikipedia, Hangul (also known as Hangul Word Processor or HWP) is a proprietary word processing application published by the South Korean company Hancom Inc. It is used extensively in South Korea, especially by the government.
We have not encountered the use of any zero-day vulnerabilities. However, we cannot completely rule out the fact that unpatched software vulnerabilities may be targeted.
On one of the victims, we observed what it appeared to be the use of a Kernel exploit through a Java application for what it appeared to be an escalation of privileges, although we do not know if it was a zero-day or not, as the file has been deleted by the attackers after being used.
There are both Windows and OS X variants of Icefog. The Windows machines are infected through "hit and run" targeted attacks. The attackers come, steal what they want and leave. The Mac OS X machines were infected through a different method in what appeared to be a "beta testing" phase of the Mac OS X backdoor.
Although we suspect a possible Android variant, we haven-t been able to find it yet.
Once the backdoor gets dropped onto the machine, it works as a remotely controlled Trojan with four basic cyber-espionage functions:
In general, each APT attack is different and unique in its own style. In case of Icefog, there are certain characteristic traits that set it apart:
In June 2013, we obtained a targeted attack sample against Fuji TV. The spear-phishing e-mail contained a malicious attachment that dropped the Icefog malware. Upon further analysis, we identified other variants and multiple spear-phishing attacks.
While analyzing the new attack, it became obvious this was a new version of the malware that attacked the Japanese Parliament in 2011. Considering the importance of the attack, we decided to do a thorough investigation.
There are multiple variants which were created during the years. During our analysis we observed:
Yes, there are multiple active Icefog C&C-s at the moment, with live victims connecting to them. We were also able to sinkhole several domains used by Icefog and collect statistics on the victims. In total, we observed more than 3600 unique infected IPs and several hundred victims. The full sinkhole statistics are available in our Icefog paper.
The attackers are stealing several types of information, including:
There is no concrete evidence to confirm this was a nation-state sponsored operation. The only way to distinguish adversary groups is by identifying their motivations within the scope of the campaign.
APTs can target any organization or company with valuable data, whether it be a nation-state sponsored cyber-espionage/surveillance operation, or a financially-motivated cyber-criminal operation. Based on the analysis and the topology of victims, the attackers could be converting stolen data into money or using it for cyber-espionage purposes.
The "hit and run" nature of this operation is one of the things that make it unusual. While in other cases, victims remain infected for months or even years, and data is continuously exfiltrated, the Icefog attackers appear to know very well what they need from the victims. Once the information is obtained, the victim is abandoned.
During the past years, we observed a large increase in the number of APTs which are hitting pretty much all types of victims and sectors. In turn, this is coupled with an increased focus on sensitive information and corporate cyber-espionage.
In the future, we predict the number of small, focused APT-to-hire groups to grow, specializing in hit-and-run operations.
Attribution information on Icefog is available through our private report available for government and law enforcement partners.
Yes, we observed many victims in several other countries, including Taiwan, Hong Kong, China, USA, Australia, Canada, UK, Italy, Germany, Austria, Singapore, Belarus and Malaysia. However, we believe that this list of countries might not represent the real interest of the attackers. Some of the samples were distributed via publicly available websites and could hit random victims from any country in the world. We believe, that was done to probe the malware in different environments and test its efficiency.
Icefog has been active since at least 2011, targeting mostly South Korea and Japan. Known targets include governmental institutions, military contractors, maritime / shipbuilding groups, telecom operators, industrial and high technology companies and mass media.
The command-and-controls are unusual in their extensive use of AJAX technologies, making them graphically enticing and easy to use. To attack victims, the Icefog attackers commonly uses HWP documents, which are an unusual and rare form of attack, partly because the HWP product is used almost exclusively in Korea.
One one of the victims, we observed what it appeared to be the use of a Kernel exploit through a Java application for an escalation of privileges, although we do not know if it was a zero-day or not as the file was no longer available.
Yes, our products detect and eliminate all variants of the malware used in this campaign:
Yes, these have been released as part of our detailed report on Icefog.