Actor: Icefog, Dagger Panda

Names: Icefog, Dagger Panda, ATK 23

Country: China

Sponsor: State-sponsored

Motivation: Information theft and espionage

First-seen: 2011

Description: (Kaspersky) “Icefog” is an Advanced Persistent Threat that has been active since at least 2011, targeting mostly Japan and South Korea. Known targets include governmental institutions, military contractors, maritime and shipbuilding groups, telecom operators, industrial and high-tech companies and mass media. The name “Icefog” comes from a string used in the command-and-control server name in one of the samples. The command-and-control software is named “Dagger Three”, in the Chinese language. During Icefog attacks, several other malicious tools and backdoors were uploaded to the victims’ machines, for data exfiltration and lateral movement. The later group {{RedAlpha}} has infrastructure overlap with Icefog.

Observed-sectors: Aerospace

Observed-sectors: Defense

Observed-sectors: Government

Observed-sectors: High-Tech

Observed-sectors: Maritime and Shipbuilding

Observed-sectors: Media

Observed-sectors: Telecommunications

Observed-sectors: Utilities

Observed-sectors: others

Observed-countries: Australia

Observed-countries: Austria

Observed-countries: Belarus

Observed-countries: Canada

Observed-countries: China

Observed-countries: France

Observed-countries: Germany

Observed-countries: Hong Kong

Observed-countries: India

Observed-countries: Italy

Observed-countries: Japan

Observed-countries: Kazakhstan

Observed-countries: Malaysia

Observed-countries: Maldives

Observed-countries: Mongolia

Observed-countries: Netherlands

Observed-countries: Pakistan

Observed-countries: Philippines

Observed-countries: Russia

Observed-countries: Singapore

Observed-countries: South Korea

Observed-countries: Sri Lanka

Observed-countries: Taiwan

Observed-countries: Tajikistan

Observed-countries: Turkey

Observed-countries: UK

Observed-countries: USA

Observed-countries: Uzbekistan

Tools: 8.t Dropper

Tools: Dagger Three

Tools: Icefog

Tools: Javafog

Tools: ShadowPad Winnti

Operations: 2014-01

Operations: The Icefog APT Hits US Targets With Java Backdoor Since the publication of our report, the Icefog attackers went completely dark, shutting down all known command-and-control servers. Nevertheless, we continued to monitor the operation by sinkholing domains and nalyzing victim connections. During this monitoring, we observed an interesting type of connection which seemed to indicate a Java version of Icefog, further to be referenced as “Javafog”. https://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/

Operations: 2015

Operations: “TOPNEWS” Campaign Target: Government, media, and finance organizations in Russia and Mongolia.

Operations: 2016

Operations: “APPER” Campaign Target: Kazach officials.

Operations: 2018

Operations: “WATERFIGHT” Campaign Target: Water source provider, banks, and government entities in Turkey, India, Kazakhstan, Uzbekistan, and Tajikistan.

Operations: 2018

Operations: “PHKIGHT” Campaign Target: An unknown entity in the Philippines.

Operations: 2018/2019

Operations: “SKYLINE” Campaign Target: Organizations in Turkey and Kazakhstan. https://www.zdnet.com/article/ancient-icefog-apt-malware-spotted-again-in-new-wave-of-attacks/

Information: https://media.kaspersky.com/en/icefog-apt-threat.pdf

Information: https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133739/icefog.pdf

Information: https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt

Last-card-change: 2021-04-20

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi