Lifting the fog on cyber espionage mercenaries

Cyber espionage is likely to increase significantly and a market for mercenary services will emerge. I will examine here the so-called Icefog cyber espionage campaign which has been underway for a couple of years now. The attack is named “Icefog” after a string used in the Command & Control (C&C) server name.

Initially Icefog attacks were aimed at organisations mainly in South Korea and Japan, however recently there have been several attacks on US corporations. Other targets have been identified in Taiwan and Germany.

The objective of these attacks is to steal sensitive documents, company plans, user credentials and Windows address books (.WAB files). The attackers know what they are looking for. Generally, they uplift the documents and then close the attack down in a quick hit-and-run operation. South Korean and Japanese targets include government institutions, military contractors, telecoms, ship building and high-tech companies, and one of the US targets is an international oil company.

These cyber espionage attacks use spear phishing to infiltrate their target. A tailored email is sent to the target enticing them to either open a malicious attachment (a compromised Microsoft Office file such as a .doc or .xls file), or to click on an email link which opens a malicious webpage to download malware through a Java vulnerability.

Once a system is infected, the malware opens a backdoor allowing the attacker to obtain the system directory, send commands and upload files to the C&C server. There are both Windows and a Mac OS X versions of the malware. Kaspersky suspect there may also be an Android version. The C&C software is named “dagger three” in Chinese – a reference to an ancient Chinese weapon, a three-bladed dagger.

Once infected, the attacker is able to examine the system directory and if the system is of interest, then additional tools are installed. The attacker steals the specific files they are interested in by manually issuing upload commands directly. Large files are compressed before transmission.

Kaspersky have identified 6 different versions of Icefog, each with different methods of transmitting stolen data.

The latest version of this espionage attack is known as Javafog as it uses Java code for the backdoor component. It could be that Java is used as the attack is then more difficult to discover and can then be used for longer attacks (making it an APT). Javafog has 3 known victim organisations in the US.

To migitate against this form of attack, users should ensure they have installed the latest updates for Java, Microsoft Office and Adobe. Users should be vigilant against spear phishing attacks – suspicious, tailored emails enticing the reader to click on an attachment or link to a webpage.

The more we find out about the activities of the NSA, we learn they are less and less different to cyber espionage campaigns such as Icefog. It is not too great a leap to go from tapping Angela Merkel’s phone to stealing confidential documents through cyber espionage. The German Chancellor was surely not a terror suspect – US surveillance activities have gone beyond anti-terror toward gaining advantage. Many will legitimise cyber espionage because of what we know about Five Eyes surveillance activities.

I expect a specialised niche cyber espionage market will evolve, with cyber espionage mercenary groups offering their services. Specialisation of tasks will prevail where developers write the code, spear phishers and bot herders infiltrate targets, and specialist uplift operators steal documents either to order or on spec with the intention of flogging them to the highest bidder. Customers of this market will be both governments and organisations, keen to outsource cyber espionage to mercenaries to safeguard their anonymity.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: