Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:38 PM
Connect Directly

Elite Chinese Cyberspy Group Behind Bit9 Hack

Professional, for-hire 'Hidden Lynx' gang steals intellectual property on-demand -- mostly from U.S.-based targets

A more elite and sophisticated cybersespionage group out of China was behind the breach and ultimate theft of security firm Bit9's digital code-signing certificates, which later were used to target some Bit9 customers, according to new research from Symantec.

The so-called "Hidden Lynx" cyberspy gang has waged targeted attacks since at least 2009. Attacks included water-holing campaigns in which they injected malware into legitimate websites likely frequented by their targeted industries and then sifted out their true targets, mainly from financial services firms in the U.S. Symantec says the gang was behind the VOHO water-holing attacks in June 2012, when the attackers also broke into an internal Bit9 server to gain access to the firm's file-signing infrastructure in order to sign malware. The gang is also tied to Operation Aurora, which targeted Google, Intel, Adobe, and other major U.S. firms, that was revealed in 2010.

Bit9 this spring revealed details on the breach, which resulted in attacks against three of its customers. The security firm confessed that an "operational oversight" led to the breach, with a virtual system on its network running without the company's own whitelisting software. Harry Sverdlove, chief technology officer at Bit9, revealed that the initial compromise dated back to July 2012 via a SQL injection attack on one of its Internet-facing Web servers; the breach was discovered in January of this year.

Symantec says three defense industrial base organizations were attacked by Hidden Lynx, but they were Symantec customers, not Bit9 customers.

"On our side, we got samples from three different organizations all in the defense supply sector ... these were customers of ours who were at the targeted end of this attack. We don't know if they got breached or infected" by the malware, but the customers provided the samples to Symantec, says Vikram Thakur, a researcher with Symantec Security Response.

Says a Bit9 spokesperson regarding its customers that were attacked in the wake of its breach: "The customers were not government or military entities, nor were they defense contractors or otherwise part of the DIB."

Bit9 has stopped short of providing any details on its customers who were targeted. In an interview with Dark Reading earlier this year, Sverdlove said Bit9 had to hold back some intelligence because it would have inadvertently helped identify one of its customers as a target. "Certainly, the attack was a larger campaign. There was evidence of the actual purpose and long-term purpose, but we were careful not to share information that would [expose] customers," Sverdlove said.

[RSA, Microsoft, and Bit9 executives share insights on how the high-profile targeted breaches they suffered have shaped things. See Security Vendors In The Aftermath Of Targeted Attacks.]

Hidden Lynx differs from other Chinese APTs, such as APT1/Comment Crew: They appear to operate on a for-hire basis, hacking specific targets for their clients who commission them, according to Symantec, which published a whitepaper on the group and its attack methods yesterday.

The group also employs "cutting edge" attack techniques, according to Symantec, including zero-day exploits and custom Trojans created for specific jobs. One Hidden Lynx team uses the Backdoor.Moudoor Trojan for the first phase attacks -- large, widespread attacks via water-holing and other methods. A second team uses Trojan.Naid, a less-prolific piece of malware, for infecting the actual targets that are sifted from the overall infected victims.

"We've seen them using water-holing like nobody else has. They use zero days to get people infected, and ... then certain portions of the victims are siphoned off to a totally different Trojan [Naid] of a smaller magnitude," Thakur says. "We've not seen that before" with APTs, he says.

It's unclear whether the group is directly employed by the Chinese government, but their infrastructure is based in China, says Vikram Thakur, principal security response manager and researcher with Symantec Security Response. "They do have an authority sitting above them. The reason we know this is because they don't just go after one type of data. By itself, that is quite striking ... They don't seem to have a fixed mandate, so they are able to channel all sorts of stolen information to somebody else. Someone is telling them what needs to be done."

Symantec estimates that group ranges from 50 to 100 individuals targeting hundreds of different targets, 24.6 percent of which are in the financial industry, 17.41 percent in education, 15.08 percent in government, 12.39 percent in ICT/IT, 6.64 percent in engineering, as well as about 4 to 5 percent in industries such as defense, engineering, and media.

Nearly 53 percent of the targeted organizations with infections are in the U.S., followed by Taiwan (15.3 percent) and China (9 percent), so Symantec says U.S. firms are by far the main targets. Other nations with miniscule infections likely were collateral damage, such as a U.S. user traveling in that nation. "They steal on demand, whatever their clients are interested in, hence the wide variety and range of targets," according to a Symantec blog post.

Thakur says victims of the first Trojan are infected for at most about a week, when the attackers sift through the specific targets, likely at the behest of their contractors. "Moudoor is more popular, and most people are looking for it," so it's used in the initial attack, he says. That then masks the second-day infection from the lesser-known Naid Trojan, he says.

The Hidden Lynx gang is going after intelligence on government business deals and planned talking points in diplomacy engagements, he says. "They want real intelligence from the physical world," he says.

The group was also behind the infamous VOHO water-holing attacks that focused on organizations in Boston, infecting 4,000 machines via 10 legitimate websites the attackers had injected with malware, as well as other attack campaigns against energy, and an attack that included a Trojan-laden Intel driver application that infected manufacturers and suppliers of military-grade computers.

Symantec's full report on Hidden Lynx is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.
PUBLISHED: 2020-01-23
SumatraPDF 2.1.1/MuPDF 1.0 allows remote attackers to cause an Integer Overflow in the lex_number() function via a corrupt PDF file.