A new group of cyber attackers is eschewing long-term system compromise for fast hit-and-run style network breaches, part of a shift in tactics that’s making it harder for defenders to protect systems.
The group, tracked by cybersecurity vendor Kaspersky Lab over the past two years, primarily targeted defense contractors in Asia, mostly in Japan and South Korea. Some of those firms are involved with the manufacture of US military platforms, the researchers said.
But Kaspersky’s team said that while a report released Sept. 25 focused on one group, a larger pattern was emerging.
“We’re starting to see more smaller, agile, hit-and-run-type crews where they will infiltrate an organization. They know exactly what they’re looking for, pull it out, and as soon as they complete their assignment, they move on,” said Kurt Baumgartner, principal secretary researcher for Kaspersky’s global research and analysis team. “They actually abandon the company, clean their things up and move on.”
That approach stands in stark contrast to the tactics typically seen from attackers over the past several years, where vulnerabilities would give the attackers long-term access, sometimes for years at a time. Typically, victims wouldn’t notice for several months, and the attackers could monitor large amounts of data with barely detectable programs meant to pass along information in a network.
But by leaving quickly and eliminating the tools they use, the new groups are often not detected during attacks, and it’s difficult to even know that they were active after the fact. Just as military operations often aim for quick strikes that don’t allow a defender to respond, it seems cyber attackers are using their own rapid strike methods.
“These attacks have been going on for so long that it’s only natural to see them evolve toward a more efficient, highly refined approach,” said Jeffrey Carr, a cyber expert who heads the Taia Global security firm.
The group that Kaspersky tracked used a Chinese word that roughly translates as three-daggers, in reference to an ancient weapon, in its command-and-control code. The vulnerabilities it employed were dubbed “Icefog” by the researchers and included backdoors in both Windows and Mac OS systems. Like most attacks prevalent today, the attackers used “spear phishing” emails — messages targeting individual users on a network that are designed to get them to download an infected file or go to a dangerous link, to gain initial access to a system.
Kaspersky described the group as routinely changing its structure and functioning as mercenaries, with bases in several countries but the primary activity coming out of China.
“It’s interesting the Icefog attackers were distributed, they weren’t located all in one country,” Baumgartner said.
The targets, of military interest in countries that are rivals of China, creates the obvious implication of Chinese government involvement. And while, in recent years, most attention has been paid to attacker groups described as state-run operations, Carr said he thinks the mercenary approach is more common.
“In my opinion, most of the attacks that have been discovered over the past few years are the work of mercenary hacker crews rather than foreign intelligence services,” he said. “They’ve been assumed to be state-run because they were targeting intellectual property rather than financial institutions.”
There’s money to be made in that intellectual property, though, and the eventual customer may be a nation-state even if the group is not directly sponsored by a country.
The precise targets the Icefog attackers hit were not disclosed by the company to protect the privacy of the victims, but they included contractors, government entities and even media outlets, primarily in South Korea and Japan.
Much of the targeting of contractors appeared to be fairly far down in the supply chain, Baumgartner said, where targets create opportunity for espionage and sabotage.
“To pick this part of the supply chain, instead of going further up, and consistently aiming for defense companies makes a lot of sense,” he said. “The supply chain is most definitely under effective attack.”
For those trying to defend networks, it’s a reminder that the biggest problem is attackers who already know what files they want, Carr said.
“This underscores the need to build their defenses around a data-centric model rather than a network-centric one,” he said. “It doesn’t matter who’s attacking them if they know which files are of interest.”