Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:06 PM
Connect Directly

Rise Of The 'Hit-And-Run' APT

A new model of cyberespionage is emerging that relies on cybermercenaries hired to break in, steal information, and then leave -- with specific targeted information

Yet another cyberespionage gang out of Asia has been discovered working on a for-hire basis as advanced persistent threat (APT)-type attackers shift gears toward a more focused, stealthy, "smash-and-grab" strategy using contracted hackers.

Click here for more articles from Dark Reading.
Click here to register to attend Interop.

The newly discovered "Icefog" attack campaign, unmasked by Kaspersky Lab this week, features hit-and-run attacks on targeted Windows machines, where the attackers steal what they're after and then get out. The attack also appears to be "beta testing" a Mac OS X backdoor, according to the researchers, who say it operates out of China, South Korea, and Japan.

Such a for-hire, commando-type operation at first glance may seem to contradict the "p" in APT -- "persistent" -- but researchers say the in-and-out attack is a better way to remain undetected and successfully complete their mission. "Getting in and out of networks quickly is generally going to be more covert than staying in long-term. Staying in longer does provide an attacker with the opportunity to exfiltrate the data more slowly," says Roel Schouwenberg, senior researcher, in an email interview. "I think a lot of people have been using the term APT and cyberespionage interchangeably. This group is as persistent as it needs to be to get the job done."

Moving in and out of the target's network quickly suggests the attackers have been instructed to grab specific information, he says. "We do think this actor functions as a cybermercenary group," Schouwenberg says.

The attackers plant a backdoor that's directly and manually controlled by the attackers. It doesn't automatically pilfer information and credentials like most traditional cyberespionage attacks do; instead, the attackers interact "live" with the infected machines. And additional backdoors and malware are placed on the victim's machines for siphoning the data, as well as moving laterally within the victim's network, Kaspersky Lab found.

Icefog's unmasking follows that of a Chinese APT group called Hidden Lynx, which also operates on a for-hire basis, hacking specific targets for clients who commission them. Symantec, which published a whitepaper on the group and its attack methods earlier this month, found that the Hidden Lynx gang was behind water-holing attacks that targeted U.S. financial services firms, and also broke into Bit9's server to gain access to its file-signing infrastructure in order to sign malware. It's also connected to the infamous Operation Aurora attacks on Google, Adobe, Intel, and others.

Cyberespionage actors are performing more reconnaissance these days from inside-out as well as outside-in, says Tom Kellermann, vice president of cybersecurity at Trend Micro. Trend Micro lately has seen more "smash-and-grab" attacks by cyberspies, he says.

"It looks more like a commando-style op [now]," Kellermann says. "But keep in mind that, realistically, every time they do leave, they are leaving behind a remote access Trojan or a backdoor in some host" in order to maintain a foothold, he says. In some cases, they leave the backdoors on backup servers because those machines are rarely updated or changed, says Kellermann, whose company published a report this week on APTs.

Icefog, meanwhile, has been in operation since 2011. It has targeted mainly defense contractors in South Korea, Taiwan, and Japan, including government institutions, maritime and shipbuilding organizations, telecommunications providers, satellite operators, high-tech firms, and mass media. Kaspersky Lab says it's likely the gang -- which is still actively attacking victims -- also targets interests in the U.S. and Europe.

The researchers sinkholed 13 of Icefog's 70 or so domains to study the attack, and saw more than 4,000 infected IP addresses and several hundred victims. Among the defense contractors that appear to be in the bull's eye of the campaign are Lig Nex1 and Selectron Industrial Company; shipbuilding firms DSME Tech and Hanjin Heavy Industries; telecom operator Korea Telecom; and media Fuji TV and the Japan-China Economic Association. Kaspersky Lab says the attacks were not necessarily successful against those targets, however.

They spotted "a few dozen" Windows machines that were infected, along with more than 350 Mac OS X machines. The attackers were mostly stealing sensitive documents, email account credentials, and passwords to internal and external resources of the victims.

Unlike traditional APT attacks that linger for months or years, the Icefog attack lasts for a few days or weeks: Once the attackers get the information they were after, they leave -- a more focused APT model that Kaspersky expect to become more popular.

"This is another cyberespionage attack featuring a Mac/OSX component. Businesses need to be thinking more about protecting their non-Windows machines," Kaspersky's Schouwenberg says.

[Cyberattacks could have real-world economic consequences in the oil and gas markets, even at the pump. See Destructive Attacks On Oil And Gas Industry A Wake-Up Call .]

Destructive APTs
Kellermann says APTs -- which mostly are associated with stealing, not destroying information -- could begin adopting a more destructive approach in the near future. "As we become better at incident response, we are going to see more manifestations of destructive payloads against you for turning of a C&C," for example, he says. "It's not just political events that will be the harbinger of destructiveness ... they will use this to punish organizations and to obfuscate what they're doing on the network.

"They've done incredible levels of recon and know our networks better than we do, and know our critical failures."

There has already been at least one high-profile case of this: The recent Dark Seoul DDoS and data destruction attacks on major South Korean banks, media outlets, and other entities were part of a four-year effort to steal information about South Korean military and government operations. The so-called Operation Troy also targeted U.S. Forces Korea, Republic of Korea, the Korean Department of Defense, and the U.S. Department of Defense, and the DDoS and data destruction attacks were merely serving as a smokescreen for the theft of military secrets about South Korea and the U.S., researchers from McAfee discovered.

Advanced threats, such as nation-state APTs, will be the topic of an Interop talk next week by Bit9 CTO Harry Sverdlove, who will present 14 lessons learned from actual advanced attacks.

The full Kaspersky Lab report on Icefog is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-06
In userman through 15.0.20 in Sangoma FreePBX, XSS exists in the User Management screen of the Administrator web site. An attacker with access to the User Control Panel application can submit malicious values in some of the time/date formatting and time-zone fields. These fields are not b...
PUBLISHED: 2019-12-06
In userman through 15.0.20 in Sangoma FreePBX, XSS exists in the user management screen of the Administrator web site, i.e., the/admin/config.php?display=userman URI. An attacker with sufficient privileges can edit the Display Name of a user and embed malicious XSS code. When another user...
PUBLISHED: 2019-12-06
In SecureWorks Red Cloak Windows Agent before, a local user can bypass the generation of telemetry alerts by removing NT AUTHORITY\SYSTEM permissions from a malicious file.
PUBLISHED: 2019-12-06
SROS 2 0.8.1 (which provides the tools that generate and distribute keys for Robot Operating System 2 and uses the underlying security plugins of DDS from ROS 2) leaks node information due to a leaky default configuration as indicated in the policy/defaults/dds/governance.xml document.
PUBLISHED: 2019-12-06
SROS 2 0.8.1 (after CVE-2019-19625 is mitigated) leaks ROS 2 node-related information regardless of the rtps_protection_kind configuration. (SROS2 provides the tools to generate and distribute keys for Robot Operating System 2 and uses the underlying security plugins of DDS from ROS 2.)