A group of between 50 and 100 professional hackers operating out of China has been systematically targeting businesses, military and government agencies around the world since at least 2009, security vendor Symantec said in a report released on Tuesday.
The group, called Hidden Lynx, is believed connected to the Operation Aurora espionage campaign of 2010 in which dozens of major companies, including Google and Microsoft, were targeted.
[ Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in "Fight Today's Malware," InfoWorld's Shop Talk video. | Keep up with key security issues with InfoWorld's Security Adviser blog and Security Central newsletter. ]
More recently, Hidden Lynx was associated with an attack on security vendor Bit9 earlier this year, and also with numerous "watering hole" attacks against hundreds of organizations in the United States.
The group has a long history of attacking organizations in the defense industrial base, financial services sector, education, government, supply chain and the engineering sector, Symantec noted in its report. More than half of the attacks have been against U.S.-based companies, but the group has been going after targets in other countries as well.
What makes Hidden Lynx notable is its access to a seeming arsenal of sophisticated malware tools that includes zero-day vulnerabilities, said Kevin Haley, director of Symantec Security Response.
The tools include one named Trojan.Naid, which the group apparently reserves for use against high-value targets such as those in Operation Aurora. Another, dubbed Backdoor Moudoor, is used for more general-purpose hacking campaigns.
Haley said members of Hidden Lynx appear loosely organized into two teams: an A-team, comprising a relatively small number of elite hackers with access to sophisticated tools like Trojan Naid; and a B-team, which appears comprised mainly of foot soldiers responsible for carrying out large attacks using Backdoor Moudoor and similar tools.
The elite hackers are usually deployed for special operations involving a high-degree of skill and secrecy, Haley noted. Often, this group appears to have advanced knowledge of, and access to, information on fresh zero-day vulnerabilities, Haley said.
The Symantec paper pointed to one incident earlier this year where the Hidden Lynx group used advance knowledge of a zero-day Oracle vulnerability to attack targets in Japan.
One of the more remarkable aspects of the group is its apparent problem solving skills, Haley noted. In situations where members of Hidden Lynx have been unable to penetrate a target directly, they have looked for other ways to compromise them by looking for and exploiting vulnerable suppliers, partners and service providers.
As an example, he pointed to the attack on Bit9 earlier this year in which Hidden Lynx managed to gain access to Bit9's digital code-signing infrastructure. The hacking group used it to sign a total of 32 Trojans and malicious scripts, which it then used to try and infiltrate companies, including a major defense contractor, using Bit9's security services.