The world of Advanced Persistent Threats (APTs) is well known. Skilled adversaries compromising high-profile victims and stealthily exfiltrating valuable data over the course of many years. Such teams sometimes count tens or even hundreds of people, going through terabytes or even petabytes of exfiltrated data.
Although there has been an increasing focus on attribution and pinpointing the sources of these attacks, not much is known about a new emerging trend: the smaller hit-and-run gangs that are going after the supply chain and compromising targets with surgical precision.
Since 2011 we have been tracking a series of attacks that we link to a threat actor called ‘Icefog’. We believe this is a relatively small group of attackers that are going after the supply chain -- targeting government institutions, military contractors, maritime and ship-building groups, telecom operators, satellite operators, industrial and high technology companies and mass media, mainly in South Korea and Japan. This Icefog campaigns rely on custom-made cyber-espionage tools for Microsoft Windows and Apple Mac OS X. The attackers directly control the infected machines during the attacks; in addition to Icefog, we noticed them using other malicious tools and backdoors for lateral movement and data exfiltration.
Key findings on the Icefog attacks:
Lure document shown to the victim upon successful execution of the exploit
Kaspersky Lab would like to thank KISA (Korea Internet & Security Agency) and INTERPOL for their support in this investigation.
We're sharing Indicators of Compromise based on the OpenIOC framework for Icefog. This way organizations have an alternative way of checking their network for presence of (active) Icefog infections.
You can download the IOC file (.zip) here.
A detailed FAQ on Icefog is available.
You can read our full Icefog report here: