Two separate espionage groups are making highly targeted attacks on the networks of government agencies and private corporations in search of military, political and industrial secrets, according to independent research efforts by Kaspersky Lab and Symantec.
One group, in operation since 2011, has compromised hundreds of computer systems at companies and government agencies in Japan, South Korea and Taiwan, as well as systems in Europe and the United States, according to an analysis by security firm Kaspersky Lab published last week.
Dubbed Icefog, the group of digital spies is responsible for twin digital attacks on the Japanese House of Representatives and the House of Councillors in 2011. It has also targeted shipbuilding companies, defense contractors, media firms and telecom operators, Kaspersky stated in its analysis.
While other groups have tried to maintain their presence in a compromised network for as long as possible, the Icefog group has adopted “hit and run” tactics–hacking in, stealing data and then quickly cleaning up—Kaspersky’s global research and analysis team (GReAT) stated in a blog post summarizing the research.
“Although there has been an increasing focus on attribution and pinpointing the sources of these attacks, not much is known about a new emerging trend: the smaller hit-and-run gangs that are going after the supply chain and compromising targets with surgical precision,” the Kaspersky team said.
Espionage groups—frequently referred to as advanced persistent threats (APTs)—are evolving. The hit-and-run strategy employed by Icefog is just one path such groups have taken to more effectively compromise their targets and steal data. Symantec has studied another group, dubbed “Hidden Lynx,” that appears to contract spies, stealing information based on its clients’ needs. Both groups show that the attackers’ techniques continue to mature as they apply various network infiltration tactics including focusing on their targets’ suppliers as a means to compromise targeted systems.
For example, the Hidden Lynx group attempted to compromise defense contractors, but when it was blocked by software produced by security firm Bit9, the spies broke into that company’s network and grabbed the digital equivalent of a skeleton key.
“They reconsidered their options and found that the best way around the protection was to compromise the heart of the protection system itself and subvert it for their own purpose,” a Symantec analysis of Hidden Lynx concluded.
The Icefog group focuses on a short list of documents, stealing business secrets and company plans, credentials for email accounts and passwords for access to both internal and external company resources.
“The Icefog attackers appear to know exactly what they need from the victims,” the Kaspersky analyst team stated. “Once the information is obtained, the victim is abandoned.”
While the exact number of victims is unknown, dozens of Windows machines and more than 350 Mac OS X systems have been compromised by the Icefog malware, perhaps the first time a group has focused so heavily on Mac systems. Kaspersky suspects that there may even be an Icefog tool for infecting Android systems.
The group has created at least six different variants of the malware to allow it to use different command-and-control mechanisms. The group and its malware will continue to evolve, and more will likely follow, the Kaspersky analysts said.
“In the future, we predict the number of small, focused APT-to-hire groups to grow, specializing in hit-and-run operations,” the company stated.