Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:38 PM
Connect Directly

Elite Chinese Cyberspy Group Behind Bit9 Hack

Professional, for-hire 'Hidden Lynx' gang steals intellectual property on-demand -- mostly from U.S.-based targets

A more elite and sophisticated cybersespionage group out of China was behind the breach and ultimate theft of security firm Bit9's digital code-signing certificates, which later were used to target some Bit9 customers, according to new research from Symantec.

The so-called "Hidden Lynx" cyberspy gang has waged targeted attacks since at least 2009. Attacks included water-holing campaigns in which they injected malware into legitimate websites likely frequented by their targeted industries and then sifted out their true targets, mainly from financial services firms in the U.S. Symantec says the gang was behind the VOHO water-holing attacks in June 2012, when the attackers also broke into an internal Bit9 server to gain access to the firm's file-signing infrastructure in order to sign malware. The gang is also tied to Operation Aurora, which targeted Google, Intel, Adobe, and other major U.S. firms, that was revealed in 2010.

Bit9 this spring revealed details on the breach, which resulted in attacks against three of its customers. The security firm confessed that an "operational oversight" led to the breach, with a virtual system on its network running without the company's own whitelisting software. Harry Sverdlove, chief technology officer at Bit9, revealed that the initial compromise dated back to July 2012 via a SQL injection attack on one of its Internet-facing Web servers; the breach was discovered in January of this year.

Symantec says three defense industrial base organizations were attacked by Hidden Lynx, but they were Symantec customers, not Bit9 customers.

"On our side, we got samples from three different organizations all in the defense supply sector ... these were customers of ours who were at the targeted end of this attack. We don't know if they got breached or infected" by the malware, but the customers provided the samples to Symantec, says Vikram Thakur, a researcher with Symantec Security Response.

Says a Bit9 spokesperson regarding its customers that were attacked in the wake of its breach: "The customers were not government or military entities, nor were they defense contractors or otherwise part of the DIB."

Bit9 has stopped short of providing any details on its customers who were targeted. In an interview with Dark Reading earlier this year, Sverdlove said Bit9 had to hold back some intelligence because it would have inadvertently helped identify one of its customers as a target. "Certainly, the attack was a larger campaign. There was evidence of the actual purpose and long-term purpose, but we were careful not to share information that would [expose] customers," Sverdlove said.

[RSA, Microsoft, and Bit9 executives share insights on how the high-profile targeted breaches they suffered have shaped things. See Security Vendors In The Aftermath Of Targeted Attacks.]

Hidden Lynx differs from other Chinese APTs, such as APT1/Comment Crew: They appear to operate on a for-hire basis, hacking specific targets for their clients who commission them, according to Symantec, which published a whitepaper on the group and its attack methods yesterday.

The group also employs "cutting edge" attack techniques, according to Symantec, including zero-day exploits and custom Trojans created for specific jobs. One Hidden Lynx team uses the Backdoor.Moudoor Trojan for the first phase attacks -- large, widespread attacks via water-holing and other methods. A second team uses Trojan.Naid, a less-prolific piece of malware, for infecting the actual targets that are sifted from the overall infected victims.

"We've seen them using water-holing like nobody else has. They use zero days to get people infected, and ... then certain portions of the victims are siphoned off to a totally different Trojan [Naid] of a smaller magnitude," Thakur says. "We've not seen that before" with APTs, he says.

It's unclear whether the group is directly employed by the Chinese government, but their infrastructure is based in China, says Vikram Thakur, principal security response manager and researcher with Symantec Security Response. "They do have an authority sitting above them. The reason we know this is because they don't just go after one type of data. By itself, that is quite striking ... They don't seem to have a fixed mandate, so they are able to channel all sorts of stolen information to somebody else. Someone is telling them what needs to be done."

Symantec estimates that group ranges from 50 to 100 individuals targeting hundreds of different targets, 24.6 percent of which are in the financial industry, 17.41 percent in education, 15.08 percent in government, 12.39 percent in ICT/IT, 6.64 percent in engineering, as well as about 4 to 5 percent in industries such as defense, engineering, and media.

Nearly 53 percent of the targeted organizations with infections are in the U.S., followed by Taiwan (15.3 percent) and China (9 percent), so Symantec says U.S. firms are by far the main targets. Other nations with miniscule infections likely were collateral damage, such as a U.S. user traveling in that nation. "They steal on demand, whatever their clients are interested in, hence the wide variety and range of targets," according to a Symantec blog post.

Thakur says victims of the first Trojan are infected for at most about a week, when the attackers sift through the specific targets, likely at the behest of their contractors. "Moudoor is more popular, and most people are looking for it," so it's used in the initial attack, he says. That then masks the second-day infection from the lesser-known Naid Trojan, he says.

The Hidden Lynx gang is going after intelligence on government business deals and planned talking points in diplomacy engagements, he says. "They want real intelligence from the physical world," he says.

The group was also behind the infamous VOHO water-holing attacks that focused on organizations in Boston, infecting 4,000 machines via 10 legitimate websites the attackers had injected with malware, as well as other attack campaigns against energy, and an attack that included a Trojan-laden Intel driver application that infected manufacturers and suppliers of military-grade computers.

Symantec's full report on Hidden Lynx is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-15
Null pointer dereference vulnerability exists in K11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime in NSS before 3.26, which causes the TLS/SSL server using NSS to crash.
PUBLISHED: 2019-11-15
Jetty 6.x before 6.1.22 suffers from an escape sequence injection vulnerability from two different vectors: 1) "Cookie Dump Servlet" and 2) Http Content-Length header. 1) A POST request to the form at "/test/cookie/" with the "Age" parameter set to a string throws a &qu...
PUBLISHED: 2019-11-15
Perdition before 2.2 may have weak security when handling outbound connections, caused by an error in the STARTTLS IMAP and POP server. ssl_outgoing_ciphers not being applied to STARTTLS connections
PUBLISHED: 2019-11-15
ClamAV before 0.97.7 has WWPack corrupt heap memory
PUBLISHED: 2019-11-15
ClamAV before 0.97.7 has buffer overflow in the libclamav component