02:06 PM
Connect Directly

Rise Of The 'Hit-And-Run' APT

A new model of cyberespionage is emerging that relies on cybermercenaries hired to break in, steal information, and then leave -- with specific targeted information

Yet another cyberespionage gang out of Asia has been discovered working on a for-hire basis as advanced persistent threat (APT)-type attackers shift gears toward a more focused, stealthy, "smash-and-grab" strategy using contracted hackers.

Click here for more articles from Dark Reading.
Click here to register to attend Interop.

The newly discovered "Icefog" attack campaign, unmasked by Kaspersky Lab this week, features hit-and-run attacks on targeted Windows machines, where the attackers steal what they're after and then get out. The attack also appears to be "beta testing" a Mac OS X backdoor, according to the researchers, who say it operates out of China, South Korea, and Japan.

Such a for-hire, commando-type operation at first glance may seem to contradict the "p" in APT -- "persistent" -- but researchers say the in-and-out attack is a better way to remain undetected and successfully complete their mission. "Getting in and out of networks quickly is generally going to be more covert than staying in long-term. Staying in longer does provide an attacker with the opportunity to exfiltrate the data more slowly," says Roel Schouwenberg, senior researcher, in an email interview. "I think a lot of people have been using the term APT and cyberespionage interchangeably. This group is as persistent as it needs to be to get the job done."

Moving in and out of the target's network quickly suggests the attackers have been instructed to grab specific information, he says. "We do think this actor functions as a cybermercenary group," Schouwenberg says.

The attackers plant a backdoor that's directly and manually controlled by the attackers. It doesn't automatically pilfer information and credentials like most traditional cyberespionage attacks do; instead, the attackers interact "live" with the infected machines. And additional backdoors and malware are placed on the victim's machines for siphoning the data, as well as moving laterally within the victim's network, Kaspersky Lab found.

Icefog's unmasking follows that of a Chinese APT group called Hidden Lynx, which also operates on a for-hire basis, hacking specific targets for clients who commission them. Symantec, which published a whitepaper on the group and its attack methods earlier this month, found that the Hidden Lynx gang was behind water-holing attacks that targeted U.S. financial services firms, and also broke into Bit9's server to gain access to its file-signing infrastructure in order to sign malware. It's also connected to the infamous Operation Aurora attacks on Google, Adobe, Intel, and others.

Cyberespionage actors are performing more reconnaissance these days from inside-out as well as outside-in, says Tom Kellermann, vice president of cybersecurity at Trend Micro. Trend Micro lately has seen more "smash-and-grab" attacks by cyberspies, he says.

"It looks more like a commando-style op [now]," Kellermann says. "But keep in mind that, realistically, every time they do leave, they are leaving behind a remote access Trojan or a backdoor in some host" in order to maintain a foothold, he says. In some cases, they leave the backdoors on backup servers because those machines are rarely updated or changed, says Kellermann, whose company published a report this week on APTs.

Icefog, meanwhile, has been in operation since 2011. It has targeted mainly defense contractors in South Korea, Taiwan, and Japan, including government institutions, maritime and shipbuilding organizations, telecommunications providers, satellite operators, high-tech firms, and mass media. Kaspersky Lab says it's likely the gang -- which is still actively attacking victims -- also targets interests in the U.S. and Europe.

The researchers sinkholed 13 of Icefog's 70 or so domains to study the attack, and saw more than 4,000 infected IP addresses and several hundred victims. Among the defense contractors that appear to be in the bull's eye of the campaign are Lig Nex1 and Selectron Industrial Company; shipbuilding firms DSME Tech and Hanjin Heavy Industries; telecom operator Korea Telecom; and media Fuji TV and the Japan-China Economic Association. Kaspersky Lab says the attacks were not necessarily successful against those targets, however.

They spotted "a few dozen" Windows machines that were infected, along with more than 350 Mac OS X machines. The attackers were mostly stealing sensitive documents, email account credentials, and passwords to internal and external resources of the victims.

Unlike traditional APT attacks that linger for months or years, the Icefog attack lasts for a few days or weeks: Once the attackers get the information they were after, they leave -- a more focused APT model that Kaspersky expect to become more popular.

"This is another cyberespionage attack featuring a Mac/OSX component. Businesses need to be thinking more about protecting their non-Windows machines," Kaspersky's Schouwenberg says.

[Cyberattacks could have real-world economic consequences in the oil and gas markets, even at the pump. See Destructive Attacks On Oil And Gas Industry A Wake-Up Call .]

Destructive APTs
Kellermann says APTs -- which mostly are associated with stealing, not destroying information -- could begin adopting a more destructive approach in the near future. "As we become better at incident response, we are going to see more manifestations of destructive payloads against you for turning of a C&C," for example, he says. "It's not just political events that will be the harbinger of destructiveness ... they will use this to punish organizations and to obfuscate what they're doing on the network.

"They've done incredible levels of recon and know our networks better than we do, and know our critical failures."

There has already been at least one high-profile case of this: The recent Dark Seoul DDoS and data destruction attacks on major South Korean banks, media outlets, and other entities were part of a four-year effort to steal information about South Korean military and government operations. The so-called Operation Troy also targeted U.S. Forces Korea, Republic of Korea, the Korean Department of Defense, and the U.S. Department of Defense, and the DDoS and data destruction attacks were merely serving as a smokescreen for the theft of military secrets about South Korea and the U.S., researchers from McAfee discovered.

Advanced threats, such as nation-state APTs, will be the topic of an Interop talk next week by Bit9 CTO Harry Sverdlove, who will present 14 lessons learned from actual advanced attacks.

The full Kaspersky Lab report on Icefog is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-29
The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before IF28, 7.3 before IF30, and 7.4 before IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof s...

Published: 2014-10-29
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument t...

Published: 2014-10-29
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function ...

Published: 2014-10-29
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly exec...

Published: 2014-10-29
The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and ob...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.