'Hidden Lynx' Group Hacks for Highest Bidder: Symantec Report

 
 
By Robert Lemos  |  Posted 2013-09-18
 
 
 

A professional group of hackers, likely based in China, has infiltrated government agencies, multinational companies and even security firms, using sophisticated tactics and tools, according to a report released by Symantec on Sept. 18.

The group, dubbed "Hidden Lynx" by Symantec researchers, has attacked hundreds of organizations since the first signs of their attacks became evident in 2009. The group has recently conducted attacks against South Korea and has also attacked a number of firms in the United States' defense industrial base, or DIB, Symantec stated in the report.

"They are methodical in their approach and they display a skill set far in advance of some other attack groups also operating in that region, such as the Comment Crew," Satnam Narang, a researcher at Symantec, stated in an email interview with eWEEK. "The wide variety of industries targeted and their use of supply chain organizations to reach these targets demonstrates that any organization is a potential target."

While the Symantec report gives new details on the group, researchers have been studying these hackers for some time. Security services firm CrowdStrike calls the group Aurora Panda—"Panda" being their lexicon for any group suspected of being based in China—for its part in Operation Aurora, a large espionage effort that stole information from more than two dozen multinational companies, including Google.

In addition, the group was behind the attack on security giant RSA, which resulted in the company losing an important database of keys for generating the one-time passwords for its SecureID products, Dmitri Alperovitch, chief technology officer and co-founder of CrowdStrike, told eWEEK.

"We have been tracking them very closely for many years," Alperovitch said. "They are certainly the best hacking group that is operating out of China—very professional, very methodical, and have access to a large number of zero days."

The hacking group has two teams that focus on different targets, according to Symantec's report. The first uses a customized version of the Gh0st RAT Trojan, named Backdoor.Moudoor, to compromise a large number of targets in different industries.

The second team uses a custom attack program, dubbed Trojan.Naid by Symantec, to attack specific targets in very limited campaigns. The Naid Trojan was used both to compromise security firm Bit9 and as part of the compromise of more than two dozen multinational companies, publicly acknowledged by Google in 2009, in one of the first cyber-espionage campaigns discussed in the media. The security firm has named the two subgroups Team Moudoor and Team Naid after their primary tools.

The compromise of security firm Bit9, leading to the leak of a digital certificate that could sign malware, has garnered a great deal of notoriety for the group. Programs signed with the certificates are considered trusted and will not be blocked by the company's security technology.

Because the group attacks a wide variety of targets, appears very professional and likely has between 50 and 100 skilled security experts, Symantec concluded that they are likely a company who hacks for clients.

"The sheer variety of targets this group attacks points to them being 'hackers for hire'—potentially offering their services to whoever can pay the highest price," Narang said. "Given the fact this group isn't focused on a specific industry or geographical region—they target both public and private organizations—their motivation appears to be financial gain."

Yet, other security experts disagree. While the group could be a company, they are most likely closely tied to the Chinese government, said CrowdStrike's Alperovitch.

"Whether they are a part of the government, like an intelligence agency or a military unit, I don't know. But, I don't believe they are just out there for anyone to hire," he said.

Rocket Fuel