Rise Of The Hit-And-Run APT

A new model of cyberespionage is emerging that relies on cybermercenaries hired to break in, steal information, and then leave -- with specific targeted information

Yet another cyberespionage gang out of Asia has been discovered working on a for-hire basis as advanced persistent threat (APT)-type attackers shift gears toward a more focused, stealthy, smash-and-grab strategy using contracted hackers.
The newly discovered Icefog attack campaign, unmasked by Kaspersky Lab this week, features hit-and-run attacks on targeted Windows machines, where the attackers steal what theyre after and then get out. The attack also appears to be beta testing a Mac OS X backdoor, according to the researchers, who say it operates out of China, South Korea, and Japan.
Such a for-hire, commando-type operation at first glance may seem to contradict the p in APT -- persistent -- but researchers say the in-and-out attack is a better way to remain undetected and successfully complete their mission. Getting in and out of networks quickly is generally going to be more covert than staying in long-term. Staying in longer does provide an attacker with the opportunity to exfiltrate the data more slowly, says Roel Schouwenberg, senior researcher, in an email interview. I think a lot of people have been using the term APT and cyberespionage interchangeably. This group is as persistent as it needs to be to get the job done.
Moving in and out of the targets network quickly suggests the attackers have been instructed to grab specific information, he says. We do think this actor functions as a cybermercenary group, Schouwenberg says.
The attackers plant a backdoor thats directly and manually controlled by the attackers. It doesnt automatically pilfer information and credentials like most traditional cyberespionage attacks do; instead, the attackers interact live with the infected machines. And additional backdoors and malware are placed on the victims machines for siphoning the data, as well as moving laterally within the victims network, Kaspersky Lab found.
Icefogs unmasking follows that of a Chinese APT group called Hidden Lynx, which also operates on a for-hire basis, hacking specific targets for clients who commission them. Symantec, which
published a whitepaper on the group
and its attack methods earlier this month, found that the Hidden Lynx gang was behind water-holing attacks that targeted U.S. financial services firms, and also broke into Bit9s server to gain access to its file-signing infrastructure in order to sign malware. Its also connected to the infamous Operation Aurora attacks on Google, Adobe, Intel, and others.
Cyberespionage actors are performing more reconnaissance these days from inside-out as well as outside-in, says Tom Kellermann, vice president of cybersecurity at Trend Micro. Trend Micro lately has seen more smash-and-grab attacks by cyberspies, he says.
It looks more like a commando-style op [now], Kellermann says. But keep in mind that, realistically, every time they do leave, they are leaving behind a remote access Trojan or a backdoor in some host in order to maintain a foothold, he says. In some cases, they leave the backdoors on backup servers because those machines are rarely updated or changed, says Kellermann, whose company published a
report this week
on APTs.
Icefog, meanwhile, has been in operation since 2011. It has targeted mainly defense contractors in South Korea, Taiwan, and Japan, including government institutions, maritime and shipbuilding organizations, telecommunications providers, satellite operators, high-tech firms, and mass media. Kaspersky Lab says its likely the gang -- which is still actively attacking victims -- also targets interests in the U.S. and Europe.
The researchers sinkholed 13 of Icefogs 70 or so domains to study the attack, and saw more than 4,000 infected IP addresses and several hundred victims. Among the defense contractors that appear to be in the bulls eye of the campaign are Lig Nex1 and Selectron Industrial Company; shipbuilding firms DSME Tech and Hanjin Heavy Industries; telecom operator Korea Telecom; and media Fuji TV and the Japan-China Economic Association. Kaspersky Lab says the attacks were not necessarily successful against those targets, however.
They spotted a few dozen Windows machines that were infected, along with more than 350 Mac OS X machines. The attackers were mostly stealing sensitive documents, email account credentials, and passwords to internal and external resources of the victims.
Unlike traditional APT attacks that linger for months or years, the Icefog attack lasts for a few days or weeks: Once the attackers get the information they were after, they leave -- a more focused APT model that Kaspersky expect to become more popular.
This is another cyberespionage attack featuring a Mac/OSX component. Businesses need to be thinking more about protecting their non-Windows machines, Kasperskys Schouwenberg says.
[Cyberattacks could have real-world economic consequences in the oil and gas markets, even at the pump. See
Destructive Attacks On Oil And Gas Industry A Wake-Up Call
.]
Destructive APTs
Kellermann says APTs -- which mostly are associated with stealing, not destroying information -- could begin adopting a more destructive approach in the near future. As we become better at incident response, we are going to see more manifestations of destructive payloads against you for turning of a C&C, for example, he says. Its not just political events that will be the harbinger of destructiveness ... they will use this to punish organizations and to obfuscate what theyre doing on the network.
Theyve done incredible levels of recon and know our networks better than we do, and know our critical failures.
There has already been at least one high-profile case of this: The recent Dark Seoul DDoS and data destruction attacks on major South Korean banks, media outlets, and other entities were part of a four-year effort to steal information about South Korean military and government operations. The so-called
Operation Troy
also targeted U.S. Forces Korea, Republic of Korea, the Korean Department of Defense, and the U.S. Department of Defense, and the DDoS and data destruction attacks were merely serving as a smokescreen for the theft of military secrets about South Korea and the U.S., researchers from McAfee discovered.
Advanced threats, such as nation-state APTs, will be the topic of an Interop talk next week by Bit9 CTO Harry Sverdlove, who will present 14 lessons learned from actual advanced attacks.
The full Kaspersky Lab report on Icefog is available
here
(PDF) for download.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Rise Of The Hit-And-Run APT