Kaspersky Security: Evolved APT Targets US Operations
The original Icefog campaign targeted government institutions, military contractors, telecom operators, maritime and ship-building groups, satellite operators and high tech companies, primarily in South Korea and Japan.
Now it appears that the Icefog operation has evolved since 2011, back when the campaign used email to send stolen data. Other variants of Icefog interacted with command and control (C&C) servers using various .asp and .aspx scripts. A more recent version dubbed Icefog-NG communicates by direct TCP connection through port 5600. Kaspersky Lab has also identified a Mac OS X version.
The security experts at Kaspersky Lab were able to impersonate, or "sinkhole," 27 of 72 known C&C servers. Kaspersky researchers observed suspicious connections from a domain, lingdona.com, with known links to Icefog domains.
According to a Kaspersky Lab FAQ, "The 'hit and run' nature of this operation is one of the things that makes it unusual. While in other cases, victims remain infected for months or even years, and data is continuously exfiltrated, the Icefog attackers appear to know very well what they need from the victims. Once the information is obtained, the victim is abandoned."
"The focus on the US targets associated with the only known Javafog C&C could indicate a US-specific operation run by the Icefog attackers; one that was planned to take longer than usual, such as, for instance, long term collection of intelligence on the target," explain Kaspersky Lab experts Costin Raiu, VitalyK and Igor Soumenkov. "This brings another dimensions to the Icefog gang's operations, which appear to be more diverse than initially thought." The researchers from Kaspersky Lab admit the Javafog detection rate is quite low at this time.
[ Get IT news updates right in your inbox -- Sign up for Tom's IT Pro's Weekly Newsletter ]
ABOUT THE AUTHOR
James Sullivan is a freelance technology writer whose concentrations include cloud computing and video game development. He is based in Portland, Oregon.