Researchers from Russia-based Kaspersky Lab have uncovered a gang of hackers for hire who specialize in surgical strikes that quickly infiltrate suppliers to Western companies, steal highly sensitive data, and then vanish.

Icefog, as the group of "cyber mercenaries" has been dubbed, is made up of six to 10 members who are able to infect both Windows and Mac computers with advanced malware that's extremely hard to detect, Kaspersky researchers revealed in a report published Wednesday.

That's a tiny membership compared with other gangs engaged in advanced persistent threat (APT) attacks that siphon gigabytes or even terabytes of sensitive data out of corporations, defense contractors, and government agencies. The so-called APT1 group that has hacked more than 100 large companies, for instance, has as many as 100 members, a roster that leaves plenty of tracks for security defenders to find.

"This created an opportunity for smaller groups that nobody knows about," Costin Raiu, director of Kaspersky's global research and analysis team, told Ars. "This new trend that we're talking about is the emergence of smaller groups that are difficult to track because they only perform surgical strikes. They don't download everything from your network. They look for specific file names and disappear."

Hidden Lynx, the group of hired hackers Ars profiled last week, has 50 to 100 members.

In the past two years, Icefog has compromised somewhere from 500 to 4,000 victims, Raiu said. The wide-ranging estimate is based on data the researchers found on command and control servers that sent and received data from infected machines. The Icefog backdoor is an interactive tool that attackers use in real-time to rifle through infected computers, locate specific files, and then download them. Its Mac version is known as Macfog. Easily decrypted data left behind on the servers showed specific targets that were penetrated and the names of files that were obtained. It also showed the unique names of 400 Mac machines and 100 Windows PCs that came from 4,000 unique IP addresses.

"We believe the Macfog infections from last year were some kind of beta testing," Raiu said. Members "wanted maybe to see if the malware was effective and if it could be used in the wild against their targets. The Mac malware is fully functional and has the same features as the Windows Malware."

Both the Windows and Mac machines were infected by exploiting vulnerabilities in Oracle's Java browser plug-in, Microsoft's Office applications, and other software that hadn't been updated with recent security patches. There's no evidence the group used so-called zero-day attacks, which exploit previously unknown security bugs.

Most of the companies the Icefog gang has penetrated are located in South Korea and Japan. It's possible that the ultimate goal of the intrusions was to appropriate data belonging to organizations located in the US and other western countries that do business with the victims.

In some ways, the Icefog gang is the hacking equivalent of a highly skilled cat burglar who spends weeks or months learning where to find the diamonds and fine art in a targeted penthouse so he can break in, immediately steal them, and make a quick get-away.

"The analogy would be the rich person living in Manhattan is throwing a party and somebody comes into his house and sees a pretty painting or diamonds," Raiu explained. "They just go to the professional burglar and say: 'I want you to break into this specific apartment and get me the Picasso painting, the Dali, or whatever."

This article was updated to correct a misstatement in the third paragraph about one of the targets hacked by APT1.