Icefog: Windows And Mac Hackers Hit Government And Military

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Chinese-based hackers hit various Asian targets in targeted attacks

A hacker group that has been in operation since 2011 has been hitting government, military and telecoms organisations with a selection of Windows and Mac OS X attacks, according to a report from a security company.

The “Icefog” hacker collective have been using a backdoor for both operating systems, which has been used to carry out actions on victims’ machines, rather than automatically siphon off data. Attacks started with spear phishing emails, containing attachments with exploit code for a bunch of known vulnerabilities, affecting Microsoft Office, Oracle Java and a range of other software.

© Karen Roach - Fotolia (Medium)Further malware was used after initial infection, including password stealers for Outlook and Internet Explorer saved logins, and another backdoor that used a separate protocol to connect to the attackers’ command and control infrastructure.

China-based hackers

Most victims were based in Japan and South Korea. The Japanese House of Representatives and House of Councillors were both targeted. Defence industry contractors Lig Nex1 and Selectron Industrial, shipbuilding companies DSME Tech and Hanjin Heavy Industries, telecom operator Korea Telecom, and media companies Fuji TV and the Japan-China Economic Association were all hit too.

The perpetrators are believed to have bases in China, Japan and South Korea.

Kaspersky said the Mac malware had infected a few hundred machines globally in 2012 after links to it were posed across Chinese bulletin boards. “We believe this could have been a beta-testing phase for Mac OS X versions to be used in targeted attacks later,” the Russian security firm said.

The attackers used a novel attack infrastructure. “Perhaps one of the most important aspects of the Icefog C&Cs is the ‘hit and run’ nature,” Kaspersky’s report read.

“The attackers would set up a C&C, create a malware sample that uses it, attack the victim, infect it, and communicate with the victim machine before moving on. The shared hosting would expire in a month or two and the C&C disappears.

“The nature of the attacks was also very focused – in many cases, the attackers already knew what they were looking for. The filenames were quickly identified, archived, transferred to the C&C and then the victim was abandoned.”

How much do you know about information security? Try our quiz and find out!