Hidden Lynx, a sophisticated group of professional hackers located in China, has carried out high-profile attacks on government, IT contractors and other industries at least since 2009, Symantec says.
An analysis of attacks against high-value targets, including government agencies and contractors, has revealed a large and sophisticated organization of professional hackers for hire, say Symantec researchers.
The Hidden Lynx group, located in China, dates to at least 2009 and has been involved several high-profile campaigns, including Operation Aurora, which compromised a number of high-tech companies and government contractors. Although many of the breaches have been reported, a single professional organization’s wide involvement in them had not been documented, said Symantec researcher Liam O Murchu.
“Showing up is one thing; realizing these campaigns all tie to one group is another thing,” O Murchu said. “We found them by looking at data over a long period of time.”
A recent Symantec white paper describes Hidden Lynx as an organization of between 50 and 100 individuals, divided into two operational teams using different Trojans; one team uses Backdoor.Moudoor, the other Trojan.Naid. The organization is unusual in its level of sophistication and the fact that it has carried out multiple campaigns simultaneously, targeting different types of organizations.
The variety of types of information apparently targeted points toward a specialized organization, the researchers concluded. “It is unlikely that this organization engages in processing or using the stolen information for direct financial gain,” the report says. “Their mode of operation would suggest that they may be a private organization of ‘hackers for hire,’ who are highly skilled, experienced professionals whose services are available for those willing to pay.”
Who the customers are and whether the group has any ties to the Chinese government is not addressed in the report. “We don’t know that side of it,” O Murchu said.
The targets are better known. Hundreds of attacks since November 2011 traced to the group have targeted organizations in the private sector as well as at all levels of government, according to Symantec. Most of the targets, nearly 53 percent, were in the United States, and government entities were targets of about 15 percent of attacks. The financial industry was targeted in about 25 percent of attacks and education in about 17 percent.
Attacks against defense contractors suggest that at least some of the group’s customers have been nation states, the report says.
One incident illustrates the group’s determination and sophistication. The security company Bit9 in February reported that a third party had gained access to digital code-signing certificates used to protect its customers from malicious applications. The certificates were used to sign a number of Trojans and malicious scripts. Six months later additional certificates were accessed and used to sign 32 malicious files. The signed files later were used to get access to a number of U.S. defense contractors using the Bit9 security platform. The digital signatures eventually were revoked, but the use of exploits against Bit9 to eventually breach the company’s customers showed long-term planning.
“That showed a level of determination that would be quite concerning,” O Murchu said.
Hidden Lynx also has used watering-hole attacks, compromising select websites to infect targeted visitors to the sites.
The group has been careful not to expose itself, abandoning some exploits when they became known in order to avoid attention, O Murchu said. “They were very aware of what is going on and what might trigger the interest of investigators.”
Eventual exposure is inevitable for any organization that remains in operation long enough, he said. “But the better groups are able to prolong how long it will take.”
The future of Hidden Lynx now that it has been exposed is uncertain. Some groups disappear after becoming known, and some are able to regroup and make a comeback. “We’ll have to wait and see,” he said.
NEXT STORY: The slow but steady progress of FISMA