Chinese Hidden Lynx Hackers Launch Widespread APT Attacks

Symantec says advanced persistent attack operators are tied to hundreds of cyber break-ins, including Operation Aurora against Google.

(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Remember Comment Crew, also known as APT1 or the Shanghai Group? Theyre the
Chinese cyber-espionage gang
that security firm Mandiant singled out earlier this year for having launched a number of devastating attacks against U.S. businesses and defense contractors.
Well, their efforts have been consistently -- and silently -- trumped by Hidden Lynx, a different group of best of breed
advanced persistent threat
(APT) attackers who have hacked into the networks of such businesses as Adobe, Bit9, Google Lockheed Martin and RSA, according to a
report
released Tuesday by security firm Symantec.
This group has a hunger and drive that surpass other well-known groups such as APT1/Comment Crew, due in no small measure to the groups technical abilities, levels of organization, sheer resourcefulness and patience, Symantecs Security Response team said in a related
blog post
. It said the groups name was drawn from code retrieved from the hackers command-and-control servers.
[ How secure is the new iPhone? Read
Apple Hackers Rate iPhone 5s Security
. ]
Like the Comment Crew, Hidden Lynx appears to be operating from China, and employs largely Chinese-built tools and China-based
malicious infrastructure
. But Symantec said that unlike Comment Crew, this group -- which regularly steals information that would be of value to both commercial and governmental organizations -- appears to be a much more well-resourced and sizeable organization.
There is no question theyre working on behalf of the Chinese government, CrowdStrike CTO Dmitri Alperovitch
told

The Wall Street Journal
. He said the group, which Crowdstrike has been
tracking for years
-- the firm refers to it as Aurora Panda -- might serve as defense contractors for the Chinese government.
According to CrowdStrike, since November 2011, half of the groups targets have been in the United States, 16% in Taiwan and 9% in China.
Hidden Lynx appears to have been active since 2009, and often runs multiple attack campaigns simultaneously. This group doesnt just limit itself to a handful of targets; instead it targets hundreds of different organizations in many different regions, even concurrently, said Symantec. Given the breadth and number of targets and regions involved, we infer that this group is most likely a professional hacker-for-hire operation that [is] contracted by clients to provide information. They steal on demand, whatever their clients are interested in, hence the wide variety and range of targets. Hidden Lynxs bona fides include inventing the
watering hole attack technique
, which involves exploiting a third-party website to infect visitors with malware, thus allowing attackers to gain access to their true target. That attack technique was seen earlier this year in an exploit of an iOS development site, which lead to
intrusions at Apple, Facebook, Microsoft and Twitter
. Although that attack wasnt ascribed to Hidden Lynx, it shows how the groups cutting-edge exploits are quickly adopted by competitors.
The hackers inside Hidden Lynx also appear to have had early access to multiple
zero-day vulnerabilities
, which means the group might have discovered the related code bugs itself. Regardless, having such exploits at hand would give the groups attacks a much greater chance of success, because many targeted businesses or government agencies wouldnt have defenses in place.
Given the groups capabilities, it could easily consist of 50 to 100 individuals, said Symantec, noting that the hackers appear to have been grouped into two different teams, each of which employs a different range of attack tools and techniques. Symantec has dubbed one of these groups Team Moudoor, after the name of a well-known Trojan -- often used by the group -- thats a customized version of the
backdoor Gh0st RAT malware
. In general, this team uses disposable tools along with basic but effective techniques to attack many different targets, and apparently doesnt care if its attack tools get spotted. Symantec said one of the groups main functions might simply be to gather intelligence on targets.
The second group, dubbed Team Naid, is more of an elite unit that appears to be tasked with cracking the most valuable or toughest targets, according to Symantec. Its principle weapon appears to be the Naid Trojan, which is used sparingly and with care to avoid detection and capture, like a secret weapon that is only used when failure is not an option. Interestingly, the Naid Trojan has been recovered from several high-profile and relatively advanced exploits, including the 2009
Aurora attacks
that compromised Google and other businesses.
As that suggests, the hackers appear to be both technically sophisticated and thorough. For example, in July 2012, when Team Naid was attempting to hack into defense contractors, it found itself blocked by trust-based protection software from security vendor Bit9. In response, the Naid attackers turned their sights on Bit9 itself. The attackers used a
SQL injection attack
to hack into Bit9s network, identified how files were signed using the companys protection mechanisms, then signed a number of their own malicious files, which they used to attack U.S. defense contractors. Bit9 ultimately
publicly revealed the attacks
in February 2013.
But Symantec said that the Bit9 compromise was part of a much larger series of attacks, known as the
VOHO campaign
-- first discovered by security firm RSA -- that ultimately compromised 4,000 machines at hundreds of U.S. organizations. Compromised organizations included technology firms, government agencies, financial services firms and educational institutions, among others.
One result of the success of a hackers for hire service such as Hidden Lynx is that, as noted, other attackers have likely been learning from the groups success and emulating its techniques. At the same time, the Hidden Lynx group is not basking in their past glories, said Symantec. They are continuing to refine and streamline their operations and techniques to stay one step ahead of their competition.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Chinese Hidden Lynx Hackers Launch Widespread APT Attacks