Here are answers to the most frequently asked questions related to Icefog, an APT operation targeting entities in Japan and South Korea.
What exactly is Icefog?
Icefog refers to a cyber-espionage campaign that has been active at least since 2011. It targets governmental institutions, military contractors, maritime and ship-building groups, telecom operators, satellite operators, industrial and high technology companies and mass media, mainly in South Korea and Japan. It is likely that the crew targets organizations in the Western world as well, like the U.S. and Europe.
Who are the victims?
At the moment, we are not disclosing the names of the victims. Kaspersky Lab is in contact with the targeted organizations as well as government entities in order to help them identify and eradicate the infections.
What can you say about the targets of the attacks?
Our technical research indicates the attackers were interested in targeting a number of entities, mainly in South Korea, Taiwan and Japan. These include defense industry contractors such as Lig Nex1 and Selectron Industrial Company, shipbuilding companies such as DSME Tech, Hanjin Heavy Industries, telecom operators such as Korea Telecom, media companies such as Fuji TV and the Japan-China Economic Association.
The fact that the organizations above were targeted does not imply the attacks were also successful. Kaspersky Lab is in contact with the targeted organizations as well as government entities in order to help them identify and eradicate the infections.
One of the most prominent incidents that involved this threat actor took place in 2011, when the Japanese House of Representatives and the House of Councillors were infected
Do we know the total number of victims?
As usual, it-s difficult to get an accurate estimate of the number of victims. We are only seeing part of the full picture, which shows several dozen Windows victims and more than 350 Mac OS X victims. It-s important to point out that the vast majority of Mac OS X victims (95%) are in China.
Why do you call it Icefog?
The name “Icefog” comes from a string used in the command-and-control server (C&C) name of one of the malware samples we analyzed. We also confirmed that the C&C software is named “Dagger Three” (“尖刀三号”) when translated from the Chinese language.
For martial arts fans, “尖刀三号” is similar to “三尖刀”, which is an ancient Chinese weapon.
Note: Another name for the backdoor used in these attacks is “Fucobha”.
What does Icefog do?
At its core, Icefog is a backdoor that serves as an interactive espionage tool that is directly controlled by the attackers. It does not automatically exfiltrate data but is instead manually operated by the attackers to perform actions directly on the infected live systems. During Icefog attacks, several other malicious tools and backdoors are uploaded to the victims’ machines for lateral movement and data exfiltration.
How does Icefog infect computers?
Icefog is distributed to targets via spear-phishing e-mails which can either have attachments or links to malicious websites. The attackers embed exploits for several known vulnerabilities (eg. CVE-2012-1856 and CVE-2012-0158) into Microsoft Word and Excel documents. Once these files are opened by the target, a backdoor is dropped onto the system and a decoy document is then showed to the victim.
Lure document shown to the victim upon successful execution of the exploit.
In addition to Office documents, the attackers use malicious pages with JAVA exploits (CVE-2013-0422 and CVE-2012-1723) and malicious HWP and HLP files.
Note 1: Oracle had released the patches for both JAVA exploits on Jan 20, 2013 and June 12, 2012 respectively.
Note 2: “HWP” are document files used by Hangul Word Processor. According to Wikipedia, Hangul (also known as Hangul Word Processor or HWP) is a proprietary word processing application published by the South Korean company Hancom Inc. It is used extensively in South Korea, especially by the government.
Are the attackers using any zero-day vulnerabilities?
We have not encountered the use of any zero-day vulnerabilities. However, we cannot completely rule out the fact that unpatched software vulnerabilities may be targeted.
On one of the victims, we observed what it appeared to be the use of a Kernel exploit through a Java application for what it appeared to be an escalation of privileges, although we do not know if it was a zero-day or not, as the file has been deleted by the attackers after being used.
Is this a Windows-only threat? Which versions of Windows are targeted? Are there Mac OS X or Linux variants?
There are both Windows and OS X variants of Icefog. The Windows machines are infected through “hit and run” targeted attacks. The attackers come, steal what they want and leave. The Mac OS X machines were infected through a different method in what appeared to be a “beta testing” phase of the Mac OS X backdoor.
Have you seen any evidence of a mobile component v iOS, Android or BlackBerry?
Although we suspect a possible Android variant, we haven-t been able to find it yet.
What happens after a target machine is infected?
Once the backdoor gets dropped onto the machine, it works as a remotely controlled Trojan with four basic cyber-espionage functions:
- Hijacks and uploads basic system information to C&C servers owned and controlled by the attackers.
- Allows the attackers to push and run commands on the infected system.
- Steal and upload files from the victims to the command-and-control servers.
Downloads files (tools) from the C&C servers to the infected computers.
- Allows the attackers to directly execute SQL commands on any MSSQL servers in the network.
How is this different from any other APT attack?
In general, each APT attack is different and unique in its own style. In case of Icefog, there are certain characteristic traits that set it apart:
- Focus almost exclusively on South Korea and Japan targets.
- Stealing files isn’t automated, instead the attackers are processing victims one by one – they locate and copy only related information.
- Web-based command-and-control implementation using .NET.
- Command-and-controls maintain full attack logs filled with each and every command ran by the attackers on their victims.
- Use of HWP documents with exploits.
- Several hundred Mac OS X infections.
How did you become aware of this threat? Who reported it?
In June 2013, we obtained a targeted attack sample against Fuji TV. The spear-phishing e-mail contained a malicious attachment that dropped the Icefog malware. Upon further analysis, we identified other variants and multiple spear-phishing attacks.
While analyzing the new attack, it became obvious this was a new version of the malware that attacked the Japanese Parliament in 2011. Considering the importance of the attack, we decided to do a thorough investigation.
How many variants of Icefog are there? Are there any major differences in the variants?
There are multiple variants which were created during the years. During our analysis we observed:
- The “old” 2011 Icefog – which sends stolen data by e-mail; this version was used against the Japanese Parliament in 2011.
- Type “1” “normal” Icefog – which interacts with C2-s.
- Type “2” Icefog – which interacts with a proxy that redirects commands from the attackers.
- Type “3” Icefog – we don-t have a sample of this, but we observed a certain kind of C2 which uses a different communication method; we suspect there are victims which have this malware.
- Type “4” Icefog – same situation as “type 3”.
- Icefog-NG – which communicates by direct TCP connection to port 5600 of the C2.
Is the command-and-control server used by Icefog still active? Have you been able to sinkhole any of the C&Cs?
Yes, there are multiple active Icefog C&C-s at the moment, with live victims connecting to them. We were also able to sinkhole several domains used by Icefog and collect statistics on the victims. In total, we observed more than 3600 unique infected IPs and several hundred victims. The full sinkhole statistics are available in our Icefog paper.
What exactly is being stolen from the target machines?
The attackers are stealing several types of information, including:
- Sensitive documents and company plans.
- E-mail account credentials.
- Passwords to access various resources inside and outside the victim-s network.
Is this a nation-state sponsored attack?
There is no concrete evidence to confirm this was a nation-state sponsored operation. The only way to distinguish adversary groups is by identifying their motivations within the scope of the campaign.
APTs can target any organization or company with valuable data, whether it be a nation-state sponsored cyber-espionage/surveillance operation, or a financially-motivated cyber-criminal operation. Based on the analysis and the topology of victims, the attackers could be converting stolen data into money or using it for cyber-espionage purposes.
The “hit and run” nature of this operation is one of the things that make it unusual. While in other cases, victims remain infected for months or even years, and data is continuously exfiltrated, the Icefog attackers appear to know very well what they need from the victims. Once the information is obtained, the victim is abandoned.
During the past years, we observed a large increase in the number of APTs which are hitting pretty much all types of victims and sectors. In turn, this is coupled with an increased focus on sensitive information and corporate cyber-espionage.
In the future, we predict the number of small, focused APT-to-hire groups to grow, specializing in hit-and-run operations.
Who is responsible?
Attribution information on Icefog is available through our private report available for government and law enforcement partners.
In addition to Japan and South Korea, are there victims in any other geographical location?
Yes, we observed many victims in several other countries, including Taiwan, Hong Kong, China, USA, Australia, Canada, UK, Italy, Germany, Austria, Singapore, Belarus and Malaysia. However, we believe that this list of countries might not represent the real interest of the attackers. Some of the samples were distributed via publicly available websites and could hit random victims from any country in the world. We believe, that was done to probe the malware in different environments and test its efficiency.
For how long have the attackers been active?
Icefog has been active since at least 2011, targeting mostly South Korea and Japan. Known targets include governmental institutions, military contractors, maritime / shipbuilding groups, telecom operators, industrial and high technology companies and mass media.
Did the attackers use some interesting/advanced technologies?
The command-and-controls are unusual in their extensive use of AJAX technologies, making them graphically enticing and easy to use. To attack victims, the Icefog attackers commonly uses HWP documents, which are an unusual and rare form of attack, partly because the HWP product is used almost exclusively in Korea.
One one of the victims, we observed what it appeared to be the use of a Kernel exploit through a Java application for an escalation of privileges, although we do not know if it was a zero-day or not as the file was no longer available.
Does Kaspersky Lab detect all variants of this malware?
Yes, our products detect and eliminate all variants of the malware used in this campaign:
Are there Indicators of Compromise (IOCs) to help victims identify the intrusion?
Yes, these have been released as part of our detailed report on Icefog.
The Icefog APT: Frequently Asked Questions