Chinese Worm the Latest Turn in Cyber-War

 Posted by at 9:26 pm on October 7, 2013  News  Add comments
Oct 072013

The plot is chilling. A cyber-mercenary gang known as “Icefog” operating out of China unleashes its insidious worm “Dagger Three” to infiltrate computers of foreign governments and their defense contractors, steal vital secrets, then leaves in an electronic mist before anyone is the wiser.

Sounds like a job for James Bond, though maybe he’s too old school. Perhaps they can resurrect Jason Bourne for this movie, or just find some high school sophomore geek.

he 'Icefog' Apt: A tale of cloak and three daggers. Cover for Kaspersky's public report.

The ‘Icefog’ Apt: A tale of cloak and three daggers. Click on the cover for the public report.

Except this isn’t a movie plot. In a case of today’s headlines ripped from the pages of yesterday’s science fiction, the multinational cyber-security firm Kaspersky Lab in late September announced its discovery of Icefog, labeling it an Advanced Persistent Threat in cyber-security lingo.

Kaspersky describes Icefog as a small yet energetic APT group that focuses on targets in South Korea and Japan, hitting the supply chain for Western companies. The operation started in 2011 and has increased in size and scope over the last few years.

APTs are nothing new, but Icefog is different.

Kapersky notes the modus operandi of most APTs is to hit “pretty much all types of victims and sectors. In most cases, attackers maintain a foothold in corporate and governmental networks for years, smuggling out terabytes of sensitive information.”

The mercenaries of Icefog, on the other hand, are more intensely focused.

The ‘hit and run’ nature of the Icefog attacks demonstrate a new, emerging trend: smaller hit-and-run gangs that go after information with surgical precision,” said Costin Raiu, Director of Kaspersky’s Global Research & Analysis Team (GReAT – a bit pompous, but it’s their acronym). “The attack usually lasts for a few days or weeks, and after obtaining what they were looking for, the attackers clean up and leave. In the future, we predict the number of small, focused ‘APT-to-hire’ groups to grow, specializing in hit-and-run operations; a kind of ‘cyber-mercenary’ team for the modern world.”

Somehow, I keep hearing M lecturing Bond using the same pitch, or a duplicate monologue given by the nameless recording that gives the assignment to Mr. Phelps, or now, Nathan Hunt, just before the recording self-destructs.

Of course, cyber-attacks in science fiction have been around at least since William Gibson first used the term cyberspace in his 1982 short story “Burning Chrome. ” In that story, two ‘Net cowboys burn down a big-time crime syndicate money handler, all for the sake of a woman.

What motivates Icefog is not clear, though with security analysts calling them mercenaries, it would not be surprising if money is at the heart of it. Yet mercenaries also allow “the Chinese government “to deny any knowledge of their actions” should these hackers of fortune ever be unmasked, even though the Chinese government is the most likely buyer for their stolen information.

Whatever motivates them, these guys are clearly influenced by science fiction in all its forms, and for that matter, so is GReAT. Icefog is also the pseudonym of a game designer for Warcraft III, or so I learned when searching the name. GreAT pinned the name on this group when finding the term Icefog in a string for the command-and-control server name. The command-and-control software is called “Dagger Three” in the Chinese language. “Three Daggers” is an ancient Chinese weapon popular in anime, as shown on the cover for GReAT’s public report.

Icefog and its Dagger Three operation is only the latest battle to come to light in this multisided shadow war fought with bytes instead of bullets. There’s no way to know who’s winning from the information made public so far. We may not even know who won until years after a “victory,” if this war ever ends. No one may be able to pinpoint when the shadow war began. Yet this is one of those turns in history when sci-fi writers were writing about it long before reality caught up with their stories.

There are rumors and news stories quoting unnamed sources about U.S. activities on its side of the war, including a rather amazing feat of releasing the infamous worm Stuxnet that slipped into labs used by the Iranian nuclear development program. Stuxnet’s target, the sophisticated centrifuges vital for producing weapons grade material for a nuclear bomb. Stuxnet made the centrifuges spin at the wrong speed so they tore themselves apart and set the nuclear program back, the first example of a computer virus physically damaging non-computer equipment. The United States may have had some help from Israeli intelligence to pull that off, though the hacking was mostly an American operation. The Israelis are rather old school themselves and allegedly resorted to assassination of key Iranian scientists.

Chinese hacks have become increasingly common. Earlier this year, American intelligence officials reported an overwhelming percentage of attacks on American corporations was coming from a nondescript 12-story building in a rundown Shanghai neighborhood. The building is the headquarters of the People Liberation Army Unit 61398. But while Unit 61398 is attributed to running a large number of hacking groups in broad-range attacks, Icefog is small and precise – and much more dangerous.

The stories of cyber warfare have appeared in science fiction pages for decades. Finally, in the 21st century, reality caught up with those stories, making for even more interesting times on the ‘net, and perhaps inspiring even more sci-fi cybernoir? 


Secure List: The Icefog Apt: A Tale of Cloak and Three Daggers

New York Times: Chinese Army Unit Is Seen as Tied to Hacking Against U.S.

IEE Spectrum: The Real Story of Stuxnet – How Kaspersky Lab tracked down the malware that stymied Iran’s nuclear-fuel enrichment program

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>