Site   Web

September 17, 2013

Hackers for Hire Group Responsible for Cyber-Espionage Attacks from China: Report

Image courtesy of [ chanpipat] /

A group of highly skilled computer hackers hiring their services out to top bidders are responsible for the sophisticated cyber-espionage attacks that have emerged from China in recent years, U.S. computer security firm Symantec says in a new report.

Symantec, which has named the group Hidden Lynx, says the unit has been in operation as “hackers for hire” since at least 2009 and has “the capability to attack many organizations with concurrently running campaigns.” This, Symantec, says, means the group is comprised of at least 50 to 100 individuals.

“The Hidden Lynx group makes regular use of zero-day exploits and has the ability to rework and customize exploits quickly. They are methodical in their approach and they display a skillset far in advance of some other attack groups also operating in (China), such as the Comment Crew (also known as APT1),” the report reads. “The Hidden Lynx group is an advanced persistent threat that has been in operation for at least four years and is breaking into some of the best-protected organizations in the world. With a zero-day attack already under their belt in 2013, they continue to operate at the leading edge of targeted attacks.”

APT1 is the group identified by fellow computer security firm Mandiant as being responsible for thousands of hacking attacks against Western companies and defense contractors since 2006. Mandiant in a 74-page report said APT1 or Advanced Persistent Threat 1, was a unit of the Chinese People’s Liberation Army. China has indignantly denied the report’s findings.

Although Symantec says it was unable to confirm if Hidden Lynx is connected to the Chinese government, the group is suspected of playing a major role in the 2009 Operation Aurora attacks, a high-profile cluster of attacks against American companies such as Google, Yahoo, Adobe, Morgan Stanley, Dow Chemical and Symantec, itself.

The attack was first disclosed by Google in a January 2010 blog post. The attack began in mid-2009 and continued through December of that year.

Another major cyber-espionage campaign Hidden Lynx is suspected of instigating is the VOHO attack of June 2012 targeting U.S. defense contractors.

“What was particularly interesting about this attack was the use of the watering hole attack technique and the compromise of Bit9’s trusted file signing infrastructure,” reads a company blog post. “The VOHO campaign was ultimately targeting U.S. defense contractors whose systems were protected by Bit9’s trust-based protection software but when the Hidden Lynx attackers’ progress was blocked by this obstacle, they reconsidered their options and found that the best way around the protection was to compromise the heart of the protection system itself and subvert it for their own purpose.

“This is exactly what they did when they diverted their attention to Bit9 and breached their systems. Once breached, the attackers quickly found their way into the file signing infrastructure that was the foundation of the Bit9 protection model, they then used this system to sign a number of malware files and then these files were used in turn to compromise the true intended targets.”

The blog indicates Hidden Lynx has “a team that uses disposable tools along with basic but effective techniques to attack many different targets.”

“They may also act as intelligence collectors too. This team we call Team Moudoor after the name of the Trojan that they use. Moudoor is a back door Trojan that the team uses liberally without worry about discovery by security firms. The other team acts like a special operations unit, elite personnel used to crack the most valuable or toughest targets. The elite team uses a Trojan named Naid and are therefore referred to as Team Naid. Unlike Moudoor, the Naid Trojan is used sparingly and with care to avoid detection and capture, like a secret weapon that is only used when failure is not an option.”


Image courtesy of [ chanpipat] /