‘Hit and Run’ APT on Loose

Thursday, September 26, 2013 @ 05:09 PM gHale


An Advanced Persistent Threat (APT) team is targeting South Korean and Japanese companies, which is resulting in hitting the supply chain for Western companies, researchers said.

The operation, discovered by Kaspersky Labs, started in 2011 and has increased in size and scope over the last few years.

RELATED STORIES
APT Targets India from Midwest
Espionage Program Still in Full Swing
Chinese APT Worked through Cloud
Espionage Campaign Uncovered

Dubbed Icefog by the researchers, the hit and run nature of the attacks show a new emerging trend: Smaller hit-and-run gangs that go after information with laser-like skill. The attack usually lasts for a few days or weeks and after obtaining what they were looking for, the attackers clean up and leave.

This could be a future trend, said Costin Raiu, director, global research & analysis team at Kaspersky.

Kaspersky found:
• Based on the profiles of identified targets, the attackers appear to have an interest in the following sectors: military, shipbuilding and maritime operations, computer and software development, research companies, telecom operators, satellite operators, mass media and television.
• Research indicates the attackers were targeting defense industry contractors such as Lig Nex1 and Selectron Industrial Company, ship-building companies such as DSME Tech, Hanjin Heavy Industries, telecom operators such as Korea Telecom, media companies such as Fuji TV and the Japan-China Economic Association.
• The attackers hijack sensitive documents and company plans, email account credentials, and passwords to access various resources inside and outside the victim’s network.
• While in most other APT campaigns, victims remain infected for a longer period of time to steal data, Icefog operators process victims one by one, locating and copying only specific, targeted information. Once they get the desired information, they leave.

Kaspersky researchers sinkholed 13 of the 70 domains used by the attackers. This provided statistics on the number of victims worldwide. In addition, the Icefog command and control servers maintain encrypted logs of their victims together with the various operations performed on them.

In addition to Japan and South Korea, there were sinkhole connections in other countries, including Taiwan, Hong Kong, China, the USA, Australia, Canada, the UK, Italy, Germany, Austria, Singapore, Belarus and Malaysia.

Click here for the complete report.



Leave a Reply

You must be logged in to post a comment.