Symantec says advanced persistent attack operators are tied to hundreds of cyber break-ins, including Operation Aurora against Google.

Mathew J. Schwartz, Contributor

September 18, 2013

5 Min Read

The Syrian Electronic Army: 9 Things We Know

The Syrian Electronic Army: 9 Things We Know

(click image for larger view)
The Syrian Electronic Army: 9 Things We Know

Remember Comment Crew, also known as APT1 or the Shanghai Group? They're the Chinese cyber-espionage gang that security firm Mandiant singled out earlier this year for having launched a number of devastating attacks against U.S. businesses and defense contractors.

Well, their efforts have been consistently -- and silently -- trumped by "Hidden Lynx," a different group of "best of breed" advanced persistent threat (APT) attackers who have hacked into the networks of such businesses as Adobe, Bit9, Google Lockheed Martin and RSA, according to a report released Tuesday by security firm Symantec.

"This group has a hunger and drive that surpass other well-known groups such as APT1/Comment Crew," due in no small measure to the group's technical abilities, levels of organization, "sheer resourcefulness" and patience, Symantec's Security Response team said in a related blog post. It said the group's name was drawn from code retrieved from the hackers' command-and-control servers.

[ How secure is the new iPhone? Read Apple Hackers Rate iPhone 5s Security. ]

Like the Comment Crew, Hidden Lynx appears to be operating from China, and employs largely Chinese-built tools and China-based malicious infrastructure. But Symantec said that unlike Comment Crew, this group -- which regularly steals information that would be of value "to both commercial and governmental organizations" -- appears to be a much more "well-resourced and sizeable organization."

"There is no question they're working on behalf of the Chinese government," CrowdStrike CTO Dmitri Alperovitch told The Wall Street Journal. He said the group, which Crowdstrike has been tracking for years -- the firm refers to it as "Aurora Panda" -- might serve as defense contractors for the Chinese government.

According to CrowdStrike, since November 2011, half of the group's targets have been in the United States, 16% in Taiwan and 9% in China.

Hidden Lynx appears to have been active since 2009, and often runs multiple attack campaigns simultaneously. "This group doesn't just limit itself to a handful of targets; instead it targets hundreds of different organizations in many different regions, even concurrently," said Symantec. "Given the breadth and number of targets and regions involved, we infer that this group is most likely a professional hacker-for-hire operation that [is] contracted by clients to provide information. They steal on demand, whatever their clients are interested in, hence the wide variety and range of targets." Hidden Lynx's bona fides include inventing the "watering hole" attack technique, which involves exploiting a third-party website to infect visitors with malware, thus allowing attackers to gain access to their true target. That attack technique was seen earlier this year in an exploit of an iOS development site, which lead to intrusions at Apple, Facebook, Microsoft and Twitter. Although that attack wasn't ascribed to Hidden Lynx, it shows how the group's cutting-edge exploits are quickly adopted by competitors.

The hackers inside Hidden Lynx also appear to have had early access to multiple zero-day vulnerabilities, which means the group might have discovered the related code bugs itself. Regardless, having such exploits at hand would give the group's attacks a much greater chance of success, because many targeted businesses or government agencies wouldn't have defenses in place.

Given the group's capabilities, it "could easily consist of 50 to 100 individuals," said Symantec, noting that the hackers appear to have been grouped into two different teams, each of which employs a different range of attack tools and techniques. Symantec has dubbed one of these groups "Team Moudoor," after the name of a well-known Trojan -- often used by the group -- that's a customized version of the backdoor "Gh0st RAT" malware. In general, this team "uses disposable tools along with basic but effective techniques to attack many different targets," and apparently doesn't care if its attack tools get spotted. Symantec said one of the group's main functions might simply be to gather intelligence on targets.

The second group, dubbed Team Naid, is more of an elite unit that appears to be tasked with cracking "the most valuable or toughest targets," according to Symantec. Its principle weapon appears to be the Naid Trojan, which "is used sparingly and with care to avoid detection and capture, like a secret weapon that is only used when failure is not an option." Interestingly, the Naid Trojan has been recovered from several high-profile and relatively advanced exploits, including the 2009 Aurora attacks that compromised Google and other businesses.

As that suggests, the hackers appear to be both technically sophisticated and thorough. For example, in July 2012, when Team Naid was attempting to hack into defense contractors, it found itself blocked by trust-based protection software from security vendor Bit9. In response, the Naid attackers turned their sights on Bit9 itself. The attackers used a SQL injection attack to hack into Bit9's network, identified how files were signed using the company's protection mechanisms, then signed a number of their own malicious files, which they used to attack U.S. defense contractors. Bit9 ultimately publicly revealed the attacks in February 2013.

But Symantec said that the Bit9 compromise was part of a much larger series of attacks, known as the VOHO campaign -- first discovered by security firm RSA -- that ultimately compromised 4,000 machines at hundreds of U.S. organizations. Compromised organizations included technology firms, government agencies, financial services firms and educational institutions, among others.

One result of the success of a "hackers for hire" service such as Hidden Lynx is that, as noted, other attackers have likely been learning from the group's success and emulating its techniques. At the same time, "the Hidden Lynx group is not basking in their past glories," said Symantec. "They are continuing to refine and streamline their operations and techniques to stay one step ahead of their competition."

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights