Icefog: Windows And Mac Hackers Hit Government And Military

A hacker group that has been in operation since 2011 has been hitting government, military and telecoms organisations with a selection of Windows and Mac OS X attacks, according to a report from a security company.

The “Icefog” hacker collective have been using a backdoor for both operating systems, which has been used to carry out actions on victims’ machines, rather than automatically siphon off data. Attacks started with spear phishing emails, containing attachments with exploit code for a bunch of known vulnerabilities, affecting Microsoft Office, Oracle Java and a range of other software.

Further malware was used after initial infection, including password stealers for Outlook and Internet Explorer saved logins, and another backdoor that used a separate protocol to connect to the attackers’ command and control infrastructure.

China-based hackers

Most victims were based in Japan and South Korea. The Japanese House of Representatives and House of Councillors were both targeted. Defence industry contractors Lig Nex1 and Selectron Industrial, shipbuilding companies DSME Tech and Hanjin Heavy Industries, telecom operator Korea Telecom, and media companies Fuji TV and the Japan-China Economic Association were all hit too.

The perpetrators are believed to have bases in China, Japan and South Korea.

Kaspersky said the Mac malware had infected a few hundred machines globally in 2012 after links to it were posed across Chinese bulletin boards. “We believe this could have been a beta-testing phase for Mac OS X versions to be used in targeted attacks later,” the Russian security firm said.

The attackers used a novel attack infrastructure. “Perhaps one of the most important aspects of the Icefog C&Cs is the ‘hit and run’ nature,” Kaspersky’s report read.

“The attackers would set up a C&C, create a malware sample that uses it, attack the victim, infect it, and communicate with the victim machine before moving on. The shared hosting would expire in a month or two and the C&C disappears.

“The nature of the attacks was also very focused – in many cases, the attackers already knew what they were looking for. The filenames were quickly identified, archived, transferred to the C&C and then the victim was abandoned.”

How much do you know about information security? Try our quiz and find out!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Majority Of Businesses Expect A Cyber Breach In 2025

Depressing stat. Research from Zscaler reveals that 60 percent of global businesses expect to suffer…

7 hours ago

SEC Files To Pause Legal Battle Against Binance

Donald Trump's crypto friendly SEC seeks to pause high-profile lawsuit against cryptocurrency exchange Binance

8 hours ago

Anduril To Take Over Microsoft’s US Army HoloLens Order

Anduril Industries, the defense-tech startup of Oculus founder Palmer Luckey, is to take over Microsoft's…

10 hours ago

Man Pleads Guilty To Hack Of SEC X Account

Alabama man admits hack of a US Securities and Exchange Commission social media account to…

11 hours ago

OpenAI Rebuffs $97.4 Billion Buyout Offer From Elon Musk Group

“No thank you” says OpenAI CEO Sam Altman, after group of investors led by Elon…

14 hours ago

US, UK Refuse To Sign AI Declaration

Both the US and UK refuse to sign an international AI declaration, that had been…

15 hours ago