Australian orgs possibly hit in hacker-for-hire attacks

By on
Australian orgs possibly hit in hacker-for-hire attacks
Fog over Melbourne. Credit: David Dusink.

Mercenary group hits Windows, Mac with 'Icefog' backdoor.

Unnamed Australian organisations may be among those targeted by a mercenary hacker group revealed to have been behind a 2011 spying campaign against Japan's parliament and attacks against significant companies in multiple countries.

The technically proficient and organised group had members spread across Japan and China used a backdoor dubbed Icefog that worked across Windows and Mac OS X to gain access to systems.

Unlike some suspected state-sponsored hacker outfits which maintained access into hacked entities for months or years, the group took only the data its shady clients had paid to retrieve before quickly exiting and cleaning up evidence.

Japanese defense industry contractors including Selectron Industrial Company along with teclo Korea Telecom and media companies Fuji TV have been targeted by the group.

Kaspersky researchers detailed the group's operations in a report issued overnight. [pdf]

"We observed many victims in several other countries, including Taiwan, Hong Kong, China, USA, Australia, Canada, UK, Italy, Germany, Austria, Singapore, Belarus and Malaysia," the research team said in a post.

"However, we believe that this list of countries might not represent the real interest of the attackers. Some of the samples were distributed via publicly available websites and could hit random victims from any country in the world. We believe, that was done to probe the malware in different environments and test its efficiency." 

It said the group had packed Icefog into vulnerable word processor documents including Excel and Word distributed via spear phishing campaigns.

Despite the group's success, Kaspersky did not find use of zero-day vulnerabilities in what could be seen as an indication of widespread lax patching efforts across private and public industries.

"At its core, Icefog is a backdoor that serves as an interactive espionage tool that is directly controlled by the attackers," Kaspersky wrote in its report.

"It does not automatically exfiltrate data but is instead manually operated by the attackers to perform actions directly on the infected live systems. During Icefog attacks, several other malicious tools and backdoors are uploaded to the victims' machines for lateral movement and data exfiltration."

The research followed a Symantec report into another hacker-for-hire group revealed this month.

That group dubbed Hidden Lynx was possibly involved in the 2009 Operation Aurora attacks which targeted Google email accounts of journalists and human rights activists, along with Adobe and source code belonging to other prominent US targets. [pdf]

It was also linked to the high-profile February attacks against Bit9 which resulted in malware being signed by the company, and to the Voho attack campaigns targeting banks, governments and technology companies.

Kaspersky was in the process of sinkholing command and control domains which would assist it in its bid to identify and alert victim organisations.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia


Most Read Articles

Log In

  |  Forgot your password?