A hacker-for hire crew known as the ‘Hidden Lynx’ has been tied to a series of sophisticated high-profile attacks targeting both businesses and governments around the world.
Researchers at Symantec say the group, which numbers between 50 and 100, has been active since 2009 and has been involved not only in the infamous Operation Aurora, but also an attack on Bit9 in 2012 and an expansive campaign of watering hole attacks that affected thousands of machines earlier this year.
Known as the VOHO campaign, it combined both regional and industry-specific attacks and focused on organizations primarily operating in the United States.
“In a rapidly spreading two-phase attack, which started on June 25 and finished July 18, nearly 4,000 machines had downloaded a malicious payload,” according to a whitepaper Symantec released on the group. “These payloads were being delivered to unsuspecting victims from legitimate websites that were strategically compromised.”
Many of the victims being targeted were U.S. defense contractors protected by Bit9’s whitelisting software. To get around this obstacle, the attackers turned their attention to Bit9, ultimately breaching their file signing infrastructure and obtaining the ability to sign malware files in their bid to infect users.
“The attackers installed Backdoor.Hikit, a Trojan that provides extremely stealthy remote access to compromised systems,” according to the whitepaper. “This highly customized Trojan is typically installed onto servers in the victims’ DMZ, which was the case at Bit9. Credentials for another virtual machine were then stolen. These were used to access the virtual machine that contained one of Bit9’s digital code-signing certificates. The attackers used this code-signing infrastructure to sign thirty-two malicious files, some of which were then retrieved to be used in subsequent attacks on select organizations in the United States defense industrial base.”
Much of the tools and infrastructure linked to the attacks originate from network infrastructure based in China, Symantec reported. The frontline of the crew consists of a team that uses disposable tools along with basic techniques to attack different targets. This unit – dubbed Team Moudoor after the Trojan they use – also acts as intelligence collectors as well.
A second team acts as an elite group used to crack the most valuable targets, and referred to as Team Naid by Symantec after the Trojan they use.
While researchers did not uncover any information about how much the group is being paid for its services, Symantec security researcher Vikram Thakur speculates it must be significant given the group’s uncommon size.
“Hidden Lynx is unique because it is one of the most organized, sophisticated groups using cutting edge hacking techniques to access information from organizations in some of the most technically advanced countries in the world,” said Thakur.
Since 2011, six campaigns have been connected to the group. Roughly 53 percent of their victims were in the United States. The next biggest group – 15.53 percent – were located in Taiwan. Approximately 24 percent were in the finance industry, while 17 percent were in education. Just more than 15 percent were in the government sector.
“The group’s goal is to gain access to information within organizations in some of the wealthiest and most technologically advanced countries across the globe,” according to Symantec’s research paper. “It is unlikely that they can use this information for direct financial gain, and the diversity of the information and number of distinguishable campaigns would suggest that they are contracted by multiple clients. This leads us to believe that this is a professional organization that offers a “hackers for hire” service.”