Attacks/Breaches
9/26/2013
02:06 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Rise Of The 'Hit-And-Run' APT

A new model of cyberespionage is emerging that relies on cybermercenaries hired to break in, steal information, and then leave -- with specific targeted information

Yet another cyberespionage gang out of Asia has been discovered working on a for-hire basis as advanced persistent threat (APT)-type attackers shift gears toward a more focused, stealthy, "smash-and-grab" strategy using contracted hackers.

Click here for more articles from Dark Reading.
Click here to register to attend Interop.

The newly discovered "Icefog" attack campaign, unmasked by Kaspersky Lab this week, features hit-and-run attacks on targeted Windows machines, where the attackers steal what they're after and then get out. The attack also appears to be "beta testing" a Mac OS X backdoor, according to the researchers, who say it operates out of China, South Korea, and Japan.

Such a for-hire, commando-type operation at first glance may seem to contradict the "p" in APT -- "persistent" -- but researchers say the in-and-out attack is a better way to remain undetected and successfully complete their mission. "Getting in and out of networks quickly is generally going to be more covert than staying in long-term. Staying in longer does provide an attacker with the opportunity to exfiltrate the data more slowly," says Roel Schouwenberg, senior researcher, in an email interview. "I think a lot of people have been using the term APT and cyberespionage interchangeably. This group is as persistent as it needs to be to get the job done."

Moving in and out of the target's network quickly suggests the attackers have been instructed to grab specific information, he says. "We do think this actor functions as a cybermercenary group," Schouwenberg says.

The attackers plant a backdoor that's directly and manually controlled by the attackers. It doesn't automatically pilfer information and credentials like most traditional cyberespionage attacks do; instead, the attackers interact "live" with the infected machines. And additional backdoors and malware are placed on the victim's machines for siphoning the data, as well as moving laterally within the victim's network, Kaspersky Lab found.

Icefog's unmasking follows that of a Chinese APT group called Hidden Lynx, which also operates on a for-hire basis, hacking specific targets for clients who commission them. Symantec, which published a whitepaper on the group and its attack methods earlier this month, found that the Hidden Lynx gang was behind water-holing attacks that targeted U.S. financial services firms, and also broke into Bit9's server to gain access to its file-signing infrastructure in order to sign malware. It's also connected to the infamous Operation Aurora attacks on Google, Adobe, Intel, and others.

Cyberespionage actors are performing more reconnaissance these days from inside-out as well as outside-in, says Tom Kellermann, vice president of cybersecurity at Trend Micro. Trend Micro lately has seen more "smash-and-grab" attacks by cyberspies, he says.

"It looks more like a commando-style op [now]," Kellermann says. "But keep in mind that, realistically, every time they do leave, they are leaving behind a remote access Trojan or a backdoor in some host" in order to maintain a foothold, he says. In some cases, they leave the backdoors on backup servers because those machines are rarely updated or changed, says Kellermann, whose company published a report this week on APTs.

Icefog, meanwhile, has been in operation since 2011. It has targeted mainly defense contractors in South Korea, Taiwan, and Japan, including government institutions, maritime and shipbuilding organizations, telecommunications providers, satellite operators, high-tech firms, and mass media. Kaspersky Lab says it's likely the gang -- which is still actively attacking victims -- also targets interests in the U.S. and Europe.

The researchers sinkholed 13 of Icefog's 70 or so domains to study the attack, and saw more than 4,000 infected IP addresses and several hundred victims. Among the defense contractors that appear to be in the bull's eye of the campaign are Lig Nex1 and Selectron Industrial Company; shipbuilding firms DSME Tech and Hanjin Heavy Industries; telecom operator Korea Telecom; and media Fuji TV and the Japan-China Economic Association. Kaspersky Lab says the attacks were not necessarily successful against those targets, however.

They spotted "a few dozen" Windows machines that were infected, along with more than 350 Mac OS X machines. The attackers were mostly stealing sensitive documents, email account credentials, and passwords to internal and external resources of the victims.

Unlike traditional APT attacks that linger for months or years, the Icefog attack lasts for a few days or weeks: Once the attackers get the information they were after, they leave -- a more focused APT model that Kaspersky expect to become more popular.

"This is another cyberespionage attack featuring a Mac/OSX component. Businesses need to be thinking more about protecting their non-Windows machines," Kaspersky's Schouwenberg says.

[Cyberattacks could have real-world economic consequences in the oil and gas markets, even at the pump. See Destructive Attacks On Oil And Gas Industry A Wake-Up Call .]

Destructive APTs
Kellermann says APTs -- which mostly are associated with stealing, not destroying information -- could begin adopting a more destructive approach in the near future. "As we become better at incident response, we are going to see more manifestations of destructive payloads against you for turning of a C&C," for example, he says. "It's not just political events that will be the harbinger of destructiveness ... they will use this to punish organizations and to obfuscate what they're doing on the network.

"They've done incredible levels of recon and know our networks better than we do, and know our critical failures."

There has already been at least one high-profile case of this: The recent Dark Seoul DDoS and data destruction attacks on major South Korean banks, media outlets, and other entities were part of a four-year effort to steal information about South Korean military and government operations. The so-called Operation Troy also targeted U.S. Forces Korea, Republic of Korea, the Korean Department of Defense, and the U.S. Department of Defense, and the DDoS and data destruction attacks were merely serving as a smokescreen for the theft of military secrets about South Korea and the U.S., researchers from McAfee discovered.

Advanced threats, such as nation-state APTs, will be the topic of an Interop talk next week by Bit9 CTO Harry Sverdlove, who will present 14 lessons learned from actual advanced attacks.

The full Kaspersky Lab report on Icefog is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5104
Published: 2014-07-28
Multiple SQL injection vulnerabilities in ol-commerce 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) a_country parameter in a process action to affiliate_signup.php, (2) affiliate_banner_id parameter to affiliate_show_banner.php, (3) country parameter in a process action ...

CVE-2014-5105
Published: 2014-07-28
Multiple cross-site scripting (XSS) vulnerabilities in ol-commerce 2.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) a_country parameter in a process action to affiliate_signup.php or (2) entry_country_id parameter in an edit action to admin/create_account.php.

CVE-2014-5106
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in Invision Power IP.Board (aka IPB or Power Board) 3.4.x through 3.4.6 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to admin/install/index.php.

CVE-2014-5107
Published: 2014-07-28
concrete5 before 5.6.3 allows remote attackers to obtain the installation path via a direct request to (1) system/basics/editor.php, (2) system/view.php, (3) system/environment/file_storage_locations.php, (4) system/mail/importers.php, (5) system/mail/method.php, (6) system/permissions/file_types.ph...

CVE-2014-5108
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in single_pages\download_file.php in concrete5 before 5.6.3 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to index.php/download_file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.