Symantec identifes 'Hidden Lynx' as hackers co-op

Symantec believes it has connected the dots to link a single Chinese hacking group dubbed "Hidden Lynx" to a series of high-profile APT-driven cyberattacks on U.S. interests, including the infamous Aurora hacks of 2009 as well as this year's compromise of security firm Bit9.

The firm's white paper (PDF) about the group describes a large team of between 50 and 100 professionals working on a professional hacker-for-hire basis. This would make the group even more significant than the APT1/Comment Crew hacking group that has become the media face of Chinese state-sponsored hacking.

According to Symantec, since 2009 Hidden Lynx has targeted hundreds of organizations around the world, focusing more than half its effort on the U.S., with smaller campaigns against targets in Taiwan, Hong Kong, Japan, and even mainland China itself.

This is a group that seems to do a bit of everything, picking off organizations in every sector with a particular interest in corporate espionage against finance, government, ICT, education, and healthcare.

"This broad range of targeted information would indicate that the attackers are part of a professional organization," said Symantec in its white paper. "They are methodical in their approach and they display a skillset far in advance of some other attack groups also operating in that region, such as the Comment Crew."

Fingered for Bit9 attack

A recent incident Symantec connects them to in forensic detail is the February attack on a code-signing certificate server inside the network of whitelisting firm Bit9, conducted using the stealthy Backdoor.Hikit Trojan, one from a clutch of such malware favored by the group.

A second prominent campaign was what became known as the VOHO watering hole attacks publicized by RSA in 2012 before mentioning its "affiliation" to the Aurora attacks on Google and several others in late 2009.

Symantec

Symantec lays out evidence that the group worked in departments, each responsible for different elements of attacks, commanding different Trojans to individual ends, sometimes requiring large numbers of people to control attacks. It is also able to access advanced zero-day vulnerabilities, the sort saved up by black hats for a rainy day.

If Hidden Lynx is a business it has certainly been busy.

"From the evidence seen, it's clear that Hidden Lynx belongs to a professional organization. They operate in a highly efficient manner. They can attack on multiple fronts. They use the latest techniques, have access to a diverse set of exploits and have highly customized tools to compromise target networks," Symantec concluded.

The revelation, if that's the right way to describe Symantec's insight, is that it sheds some intriguing light on the different groups that seem to operate from inside China, possibly in competition with one another. The warning served by Hidden Lynx is that this group appeared to be a successful business model likely to be copied by others, Symantec said.

If Symantec is correct that Hidden Lynx is connected to the Aurora attacks, they have traced the group that kicked off the U.S. vs China age of advanced persistent threats (APTs) in the first days of 2010. It was at that moment that the scale what had been occurring became apparent to the world. It also dragged the US business world and public opinion into an awareness of what cyberattacks could mean in geo-political and economic terms.

Subscribe to the Security Watch Newsletter

Comments