Chinese "Hidden Lynx" Hackers Launch Widespread APT Attacks

Symantec says advanced persistent attack operators are tied to hundreds of cyber break-ins, including Operation Aurora against Google.
Hidden Lynx's bona fides include inventing the "watering hole" attack technique, which involves exploiting a third-party website to infect visitors with malware, thus allowing attackers to gain access to their true target. That attack technique was seen earlier this year in an exploit of an iOS development site, which lead to intrusions at Apple, Facebook, Microsoft and Twitter. Although that attack wasn't ascribed to Hidden Lynx, it shows how the group's cutting-edge exploits are quickly adopted by competitors.

The hackers inside Hidden Lynx also appear to have had early access to multiple zero-day vulnerabilities, which means the group might have discovered the related code bugs itself. Regardless, having such exploits at hand would give the group's attacks a much greater chance of success, because many targeted businesses or government agencies wouldn't have defenses in place.

Given the group's capabilities, it "could easily consist of 50 to 100 individuals," said Symantec, noting that the hackers appear to have been grouped into two different teams, each of which employs a different range of attack tools and techniques. Symantec has dubbed one of these groups "Team Moudoor," after the name of a well-known Trojan -- often used by the group -- that's a customized version of the backdoor "Gh0st RAT" malware. In general, this team "uses disposable tools along with basic but effective techniques to attack many different targets," and apparently doesn't care if its attack tools get spotted. Symantec said one of the group's main functions might simply be to gather intelligence on targets.

The second group, dubbed Team Naid, is more of an elite unit that appears to be tasked with cracking "the most valuable or toughest targets," according to Symantec. Its principle weapon appears to be the Naid Trojan, which "is used sparingly and with care to avoid detection and capture, like a secret weapon that is only used when failure is not an option." Interestingly, the Naid Trojan has been recovered from several high-profile and relatively advanced exploits, including the 2009 Aurora attacks that compromised Google and other businesses.

As that suggests, the hackers appear to be both technically sophisticated and thorough. For example, in July 2012, when Team Naid was attempting to hack into defense contractors, it found itself blocked by trust-based protection software from security vendor Bit9. In response, the Naid attackers turned their sights on Bit9 itself. The attackers used a SQL injection attack to hack into Bit9's network, identified how files were signed using the company's protection mechanisms, then signed a number of their own malicious files, which they used to attack U.S. defense contractors. Bit9 ultimately publicly revealed the attacks in February 2013.

But Symantec said that the Bit9 compromise was part of a much larger series of attacks, known as the VOHO campaign -- first discovered by security firm RSA -- that ultimately compromised 4,000 machines at hundreds of U.S. organizations. Compromised organizations included technology firms, government agencies, financial services firms and educational institutions, among others.

One result of the success of a "hackers for hire" service such as Hidden Lynx is that, as noted, other attackers have likely been learning from the group's success and emulating its techniques. At the same time, "the Hidden Lynx group is not basking in their past glories," said Symantec. "They are continuing to refine and streamline their operations and techniques to stay one step ahead of their competition."