Icefog: The Hacker Crew Trying to Break Into Your Weapons
September 26, 2013
A new cyber-theft ring from Asia is committing a string of smash and grab-style attacks against suppliers to major military contractors. This isn’t just any hacker crew; its targeting of defense subcontractors means it could easily undermine the integrity of the world’s weapons.
This new crew, dubbed Icefog by Kaspersky Lab, is small and nimble, and it appears to know exactly what it wants to steal from its victims. Unlike some other advanced hacker outfits that linger on victims’ networks for months or years after gaining access, the Icefog crew doesn’t stick around waiting to get caught.
"They will infiltrate an organization. They know exactly what they are looking for, pull it out, and as soon as they complete their assignment they move on — they actually clean things up and move on," said Kurt Baumgartner, a security researcher with Kaspersky, during a speech in Washington today.
Kaspersky researchers think the people behind Icefog are based in China, South Korea, and Japan.
Icefog attacked several hundred victims — everything from TV stations, satellite operators, maritime logistics firms, communications businesses, defense contractors, and shipbuilders, according to Kaspersky. Most of the victims are in South Korea and Japan, but victims have been found everywhere from China to Belarus. There are also "strong suggestions that there were Western targets, including the U.S.," said Baumgartner.
The crew steals "sensitive documents and company plans, e-mail account credentials, and passwords to access various resources inside and outside the victim’s network," reads Kaspersky’s press release. "They look for specific filenames, which are quickly identified, and transferred to" Icefog.
Most alarming are the crew’s attacks against smaller parts suppliers to major defense contractors. Icefog’s hackers could break into the poorly defended network of a defense subcontractor and plant destructive malware inside its products before they are placed in a weapon such as a fighter jet.
This "creates a lot of problems because not only is there potential for economic espionage … there’s the chance for low-scale sabotage with destructive attacks that bring a whole new set of challenges," said Baumgartner.
One South Korean company that Icefog was interested in "provides heads-up displays for F-15s, and they provide radar jamming for F-16s" used by Seoul’s air force, said Baumgartner. He would not reveal whether the firm, LIG Nex1, had actually been penetrated by Icefog.
This past July, David Shedd, deputy director of the U.S. Defense Intelligence Agency, warned that foreign intelligence agencies are trying to do exactly that to American military suppliers.
"Our adversaries are very active in trying to introduce material into the supply chain in ways that threaten our security from the standpoint of their abilities to collect [intelligence] and disrupt" U.S. military operations, said Shedd.
Making things worse is that the United States doesn’t have a true understanding of how vulnerable its supply chain is to this style of attack.
"I’m generally an optimist, [but] in the supply chain area, I’m very concerned," said Shedd, given that he doesn’t truly know the full extent of adversary penetration into DOD weapons systems. "You don’t know what you don’t know, and the old adage of the weakest link is obviously what we need to be concerned about."
That’s exactly the link Icefog is pounding. Baumgartner said the small, well-funded crew of "cyber-mercenaries" develops new attack techniques for each target. This makes Icefog incredibly hard to track since researchers have a hard time connecting individual attacks to one another – before it’s too late.