top of page
Mitre
Alias
Pla Unit 69010, Icefog, Atk 23, Temp.trident, Redfoxtrot, Moshen Dragon, Nomad Panda, Dagger Panda, Red Wendigo, Trident
Country
China
Sponsor
China. State-sponsored. State-sponsored, Pla Unit 69010, State-sponsored
Motivation
Information Theft And Espionage
First Seen
2014, 2011
Description
(Kaspersky) �Icefog� is an Advanced Persistent Threat that has been active since at least 2011, targeting mostly Japan and South Korea. Known targets include governmental institutions, military contractors, maritime and shipbuilding groups, telecom operators, industrial and high-tech companies and mass media. The name �Icefog� comes from a string used in the command-and-control server name in one of the samples. The command-and-control software is named �Dagger Three�, in the Chinese language.
During Icefog attacks, several other malicious tools and backdoors were uploaded to the victims� machines, for data exfiltration and lateral movement.
The later group {{RedAlpha}} has infrastructure overlap with Icefog.
Targeted
Industries
Government, Military, Aerospace, Defense, Maritime And Shipbuilding, High-tech, Media, Telecommunications, Others, Utilities
Targeted
Countries
Canada, Hong Kong, Italy, Turkey, France, Pakistan, Kazakhstan, Philippines, Malaysia, China, Sri Lanka, Russia, Germany, Taiwan, Maldives, Netherlands, Austria, Usa, Afghanistan, Uk, United States, Japan, India, Belarus, Australia, Uzbekistan, Mongolia, Tajikistan, Singapore, South Korea
Tools
Shadowpad
Icefog
Impacket
Poison
8.t
Plugx
Dagger
Shadowpad Winnti
Pcshare
Javafog
Gunters
8.t Dropper
Dagger Three
TTP
Nil
Operations
Performed
[2014-01] the Icefog Apt Hits Us Targets With Java Backdoor (since The Publication Of Our Report, The Icefog Attackers Went Completely Dark, Shutting Down All Known Command-and-control Servers. Nevertheless, We Continued To Monitor The Operation By Sinkholing Domains And Nalyzing Victim Connections. During This Monitoring, We Observed An Interesting Type Of Connection Which Seemed To Indicate A Java Version Of Icefog, Further To Be Referenced As �javafog�. (https://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/)
[2015] �topnews� Campaign (target: Government, Media, And Finance Organizations In Russia And Mongolia.)
[2016] �apper� Campaign (target: Kazach Officials.)
[2018] �waterfight� Campaign (target: Water Source Provider, Banks, And Government Entities In Turkey, India, Kazakhstan, Uzbekistan, And Tajikistan.)
[2018] �phkight� Campaign (target: An Unknown Entity In The Philippines.)
[2018/2019] �skyline� Campaign (target: Organizations In Turkey And Kazakhstan. (https://www.zdnet.com/article/ancient-icefog-apt-malware-spotted-again-in-new-wave-of-attacks/
Counter
Operations
Nil
Information
bottom of page