Attacks/Breaches
9/18/2013
11:43 AM
Connect Directly
RSS
E-Mail
50%
50%

Chinese "Hidden Lynx" Hackers Launch Widespread APT Attacks

Symantec says advanced persistent attack operators are tied to hundreds of cyber break-ins, including Operation Aurora against Google.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Remember Comment Crew, also known as APT1 or the Shanghai Group? They're the Chinese cyber-espionage gang that security firm Mandiant singled out earlier this year for having launched a number of devastating attacks against U.S. businesses and defense contractors.

Well, their efforts have been consistently -- and silently -- trumped by "Hidden Lynx," a different group of "best of breed" advanced persistent threat (APT) attackers who have hacked into the networks of such businesses as Adobe, Bit9, Google Lockheed Martin and RSA, according to a report released Tuesday by security firm Symantec.

"This group has a hunger and drive that surpass other well-known groups such as APT1/Comment Crew," due in no small measure to the group's technical abilities, levels of organization, "sheer resourcefulness" and patience, Symantec's Security Response team said in a related blog post. It said the group's name was drawn from code retrieved from the hackers' command-and-control servers.

[ How secure is the new iPhone? Read Apple Hackers Rate iPhone 5s Security. ]

Like the Comment Crew, Hidden Lynx appears to be operating from China, and employs largely Chinese-built tools and China-based malicious infrastructure. But Symantec said that unlike Comment Crew, this group -- which regularly steals information that would be of value "to both commercial and governmental organizations" -- appears to be a much more "well-resourced and sizeable organization."

"There is no question they're working on behalf of the Chinese government," CrowdStrike CTO Dmitri Alperovitch told The Wall Street Journal. He said the group, which Crowdstrike has been tracking for years -- the firm refers to it as "Aurora Panda" -- might serve as defense contractors for the Chinese government.

According to CrowdStrike, since November 2011, half of the group's targets have been in the United States, 16% in Taiwan and 9% in China.

Hidden Lynx appears to have been active since 2009, and often runs multiple attack campaigns simultaneously. "This group doesn't just limit itself to a handful of targets; instead it targets hundreds of different organizations in many different regions, even concurrently," said Symantec. "Given the breadth and number of targets and regions involved, we infer that this group is most likely a professional hacker-for-hire operation that [is] contracted by clients to provide information. They steal on demand, whatever their clients are interested in, hence the wide variety and range of targets."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.