Chinese hackers for hire tied to Bit9 and Aurora attacks
The existence, the modus operandi and details of successful campaigns of another Chinese hacking group have been revealed by Symantec researchers, who have managed to tie to several high-profile compromises in the last few years, most notably that of Bit9.
Dubbed “Hidden Lynx” after a string that was found in their C&C server communications, the group is considered by the researchers to be a professional team of attackers that is not affiliated with the Chinese state.
“The Hidden Lynx group has been in operation since at least 2009 and is most likely a professional organization that offers a ‘hackers for hire’ service. They have the capability to attack many organizations with concurrently running campaigns. They operate efficiently and move quickly and methodically,” the researchers explained in a extensive report. “Based on these factors, the Hidden Lynx group would need to be a sizeable organization made up of between 50 and 100 individuals.”
In fact, the group is though to consist of two separate teams (both named after their preferred attack / compromise malware). Team Naid – wielding the Naid Trojan – is the one that attacked Bit9 and likely Google and other companies targeted in the infamous 2009 “Operation Aurora”. They seem to concentrate on high value targets.
Team Moudoor is likely larger than Team Naid, and uses the Moudoor backdoor Trojan – a customized version of “Gh0st RAT” – to breach a large number of companies in various industries and steal their intellectual property.
“The Hidden Lynx group makes regular use of zero-day exploits and has the ability to rework and customize exploits quickly. They are methodical in their approach and they display a skillset far in advance of some other attack groups also operating in that region, such as the Comment Crew (also known as APT1),” the researchers claim.
Most of its known targets were organizations in the US and Taiwan, but some of them (at least 13 percent) are based in Hong Kong and China. The industries within these organizations work are mostly finance, education, government, ICT / IT and healthcare.
“This broad range of targeted information would indicate that the attackers are part of a professional organization. They are likely tasked with obtaining very specific information that could be used to gain competitive advantages at both a corporate and nation state level,” the researchers speculate.
“It is unlikely that this organization engages in processing or using the stolen information for direct financial gain. Their mode of operation would suggest that they may be a private organization of ‘hackers for hire’, who are highly skilled, experienced professionals whose services are available for those willing to pay.”
They are the group that pioneered watering hole attacks, but is also using phishing attacks and is hacking supply chains in order to deliver their custom-built malware.
They are obviously resourceful, and very adept at problem solving. After having compromised Bit9’s internal network and stolen their code-signing certificates, they used them to sign the Naid Trojan and the Moudoor backdoor so that companies that used Bit9’s app whitelisting system could be easily penetrated.
The same signed malware was later used in a watering-hole operation that targeted organizations in the Boston area, during which exploits for several zero-day flaws were used to deliver the initial malicious payload and additional ones later.
“The worrying knock-on effect of this group’s activities is that other threat actors are learning and adopting their techniques. The Hidden Lynx group is not basking in their past glories, they are continuing to refine and streamline their operations and techniques to stay one step ahead of their competition,” the researchers commented.
“We expect these attackers to be involved in many more high profile campaigns in the coming years. They will continue to adapt and innovate. They will continue to provide information servicing interests at both a corporate and state level.”
Be sure to check out the original report for more details about several of the campaigns mounted by the group and on the malware they use – it’s a very interesting read.