Attacks/Breaches
9/18/2013
04:38 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Elite Chinese Cyberspy Group Behind Bit9 Hack

Professional, for-hire 'Hidden Lynx' gang steals intellectual property on-demand -- mostly from U.S.-based targets

A more elite and sophisticated cybersespionage group out of China was behind the breach and ultimate theft of security firm Bit9's digital code-signing certificates, which later were used to target some Bit9 customers, according to new research from Symantec.

The so-called "Hidden Lynx" cyberspy gang has waged targeted attacks since at least 2009. Attacks included water-holing campaigns in which they injected malware into legitimate websites likely frequented by their targeted industries and then sifted out their true targets, mainly from financial services firms in the U.S. Symantec says the gang was behind the VOHO water-holing attacks in June 2012, when the attackers also broke into an internal Bit9 server to gain access to the firm's file-signing infrastructure in order to sign malware. The gang is also tied to Operation Aurora, which targeted Google, Intel, Adobe, and other major U.S. firms, that was revealed in 2010.

Bit9 this spring revealed details on the breach, which resulted in attacks against three of its customers. The security firm confessed that an "operational oversight" led to the breach, with a virtual system on its network running without the company's own whitelisting software. Harry Sverdlove, chief technology officer at Bit9, revealed that the initial compromise dated back to July 2012 via a SQL injection attack on one of its Internet-facing Web servers; the breach was discovered in January of this year.

Symantec says three defense industrial base organizations were attacked by Hidden Lynx, but they were Symantec customers, not Bit9 customers.

"On our side, we got samples from three different organizations all in the defense supply sector ... these were customers of ours who were at the targeted end of this attack. We don't know if they got breached or infected" by the malware, but the customers provided the samples to Symantec, says Vikram Thakur, a researcher with Symantec Security Response.

Says a Bit9 spokesperson regarding its customers that were attacked in the wake of its breach: "The customers were not government or military entities, nor were they defense contractors or otherwise part of the DIB."

Bit9 has stopped short of providing any details on its customers who were targeted. In an interview with Dark Reading earlier this year, Sverdlove said Bit9 had to hold back some intelligence because it would have inadvertently helped identify one of its customers as a target. "Certainly, the attack was a larger campaign. There was evidence of the actual purpose and long-term purpose, but we were careful not to share information that would [expose] customers," Sverdlove said.

[RSA, Microsoft, and Bit9 executives share insights on how the high-profile targeted breaches they suffered have shaped things. See Security Vendors In The Aftermath Of Targeted Attacks.]

Hidden Lynx differs from other Chinese APTs, such as APT1/Comment Crew: They appear to operate on a for-hire basis, hacking specific targets for their clients who commission them, according to Symantec, which published a whitepaper on the group and its attack methods yesterday.

The group also employs "cutting edge" attack techniques, according to Symantec, including zero-day exploits and custom Trojans created for specific jobs. One Hidden Lynx team uses the Backdoor.Moudoor Trojan for the first phase attacks -- large, widespread attacks via water-holing and other methods. A second team uses Trojan.Naid, a less-prolific piece of malware, for infecting the actual targets that are sifted from the overall infected victims.

"We've seen them using water-holing like nobody else has. They use zero days to get people infected, and ... then certain portions of the victims are siphoned off to a totally different Trojan [Naid] of a smaller magnitude," Thakur says. "We've not seen that before" with APTs, he says.

It's unclear whether the group is directly employed by the Chinese government, but their infrastructure is based in China, says Vikram Thakur, principal security response manager and researcher with Symantec Security Response. "They do have an authority sitting above them. The reason we know this is because they don't just go after one type of data. By itself, that is quite striking ... They don't seem to have a fixed mandate, so they are able to channel all sorts of stolen information to somebody else. Someone is telling them what needs to be done."

Symantec estimates that group ranges from 50 to 100 individuals targeting hundreds of different targets, 24.6 percent of which are in the financial industry, 17.41 percent in education, 15.08 percent in government, 12.39 percent in ICT/IT, 6.64 percent in engineering, as well as about 4 to 5 percent in industries such as defense, engineering, and media.

Nearly 53 percent of the targeted organizations with infections are in the U.S., followed by Taiwan (15.3 percent) and China (9 percent), so Symantec says U.S. firms are by far the main targets. Other nations with miniscule infections likely were collateral damage, such as a U.S. user traveling in that nation. "They steal on demand, whatever their clients are interested in, hence the wide variety and range of targets," according to a Symantec blog post.

Thakur says victims of the first Trojan are infected for at most about a week, when the attackers sift through the specific targets, likely at the behest of their contractors. "Moudoor is more popular, and most people are looking for it," so it's used in the initial attack, he says. That then masks the second-day infection from the lesser-known Naid Trojan, he says.

The Hidden Lynx gang is going after intelligence on government business deals and planned talking points in diplomacy engagements, he says. "They want real intelligence from the physical world," he says.

The group was also behind the infamous VOHO water-holing attacks that focused on organizations in Boston, infecting 4,000 machines via 10 legitimate websites the attackers had injected with malware, as well as other attack campaigns against energy, and an attack that included a Trojan-laden Intel driver application that infected manufacturers and suppliers of military-grade computers.

Symantec's full report on Hidden Lynx is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3594
Published: 2014-08-22
Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.