Kaspersky Lab discovered the emerging group of cyber-mercenaries Icefog available for hire to perform surgical hit and run operations against strategic targets.
The Hacking group behind the attack who carry out surgical hit and run operations, is an advanced persistent threat (APT) group, used a backdoor dubbed Icefog that worked across Windows and Mac OS X to gain access to systems.
“The Mac OS X backdoor currently remains largely undetected by security solutions and has managed to infect several hundred victims worldwide,” the report (PDF) said.
This China-based campaign is almost two years old and follows the pattern of similar APT-style attacks where victims are compromised via a malicious attachment in a spear-phishing email, or are lured to a compromised website and infected with malware.
The attackers embed exploits for several known vulnerabilities (CVE-2012-1856 and CVE-2012-0158) into Microsoft Word and Excel documents.
Once a computer has been compromised, the hackers upload malicious tools and backdoors. They look for email account credentials, sensitive documents and passwords to other systems.
“We observed many victims in several other countries, including Taiwan, Hong Kong, China, USA, Australia, Canada, UK, Italy, Germany, Austria, Singapore, Belarus and Malaysia,” the research team said.
There is no concrete evidence to confirm this was a nation-state sponsored operation, but based on where the stolen data were transferred to, Kaspersky wrote the attackers are assumed to be in China, South Korea and Japan.
In total, Kaspersky Lab observed more than 4,000 uniquely infected IPs and several hundred victims. They are now in contact with the targeted organizations as well as government entities in order to help them identify and eradicate the infections.