Article Lead Image

Meet Icefog, the cyber-mercenaries terrorizing Asia’s governments

Icefog has targeted defense agencies and telecoms in Japan and Korea.


Aaron Sankin

Internet Culture

Posted on Oct 1, 2013   Updated on Jun 1, 2021, 5:14 am CDT

In a report released in late August, Moscow-based cybersecurity firm Kaspersky Lab revealed the existence of a hacker group called Icefog that has attacked some of the biggest defense and telecom firms in Japan and South Korea and struck at the very heart of Japanese democracy.

“The attackers hit a wide range of industries. Targets vary from suppliers to military contractors to TV stations, satellite operators, defense contractors, shipbuilders and more,” explained Kaspersky Lab Senior Researcher Roel Schouwenberg. “This suggests the ultimate customer(s) for this type of data are government or government-related entities.”

Kaspersky’s investigation into Icefog began earlier this year when it received a sample of the attack materials used against Japanese broadcaster Fuji TV. After a careful analysis, Kaspersky researchers discovered it was an updated version of the malware used in a 2011 attack against the both houses of the Japanese legislature.  

Considering the importance of the attack, Kaspersky Lab conducted a thorough investigation and discovered at least 20 other targeted organizations, including the Japan-China Economic Association—a prominent trade group led by the chairman of Toyota.

The report noted that, while it was able to determine these companies were targeted by Icefog, not all of them were necessarily compromised.

Employing similar methods to those used by the Syrian Electronic Army, Icefog’s attacks relied on “spear-phishing” emails that work by getting unsuspecting employees of the targeted organizations to click an email link that infects their computers. When the victims opened links to what they thought were racy photos or dry policy papers, they were actually opening the door for Icefog. That gave the group, which appears to be a multi-national effort with actors in China, South Korea and Japan, the ability to steal documents, user account credentials and address book info.

Kaspersky believes Icefog is functioning as a “cyber-mercenary” organization, auctioning off its hacking skills to the highest bidder. While cyber-mercenaries are nothing new (a British intelligence report earlier this year warned of the groups’ increasing prevalence), Icefog’s history suggests a shift in both size and operating procedure that could ultimately make such cybercriminals more difficult to catch.   

“Generally what we see with cyberespionage operations are longer, persistent, campaigns,” noted Schouwenberg. “However in the Icefog campaigns we observed the attackers seemed to know what information they were after and would leave the network after the information was obtained. They try to clean up their tracks when moving on to the next target.”

APT1, the China-based hacker group that ran amok inside the computer systems of the New York Times after the paper published an article detailing the vast fortune of Chinese Prime Minister Wen Jiabao, is believed to have over 100 members; whereas, Icefog likely has under a dozen—making the latter significantly harder to track. 

“In the future, we predict the number of small, focused…[for-hire] groups to grow, specializing in hit-and-run operations,” Kaspersky research director Costin Raiu added in an interview with Forbes, “a kind of ‘cyber mercenary’ team for the modern world.”

H/T PC World | Photo by mikael altemark/Flickr

Share this article
*First Published: Oct 1, 2013, 1:02 pm CDT