Investigators at Symantec articulate the group, which measures between 50 and 100, has been deployed since 2009 and has been involved not only in the notorious Operation Aurora, but also an attack on Bit9 in 2012 and a grand campaign of watering hole attacks that affected thousands of machines earlier this year.
A campaign dubbed the VOHO combined some regional and industry-specific attacks and centered on organizations primarily operating in the United States.
“In a rapidly spreading two-phase attack, which started on June 25 and finished July 18, nearly 4,000 machines had downloaded a malicious payload,” according to a whitepaper Symantec released on the group. “These payloads were being delivered to unsuspecting victims from legitimate websites that were strategically compromised.”
Many of the victims being targeted were U.S. defense contractors protected by Bit9’s whitelisting software.
“The attackers installed Backdoor.Hikit, a Trojan that provides extremely stealthy remote access to compromised systems,” according to the whitepaper. “This highly customized Trojan is typically installed onto servers in the victims’ DMZ, which was the case at Bit9. Credentials for another virtual machine were then stolen. These were used to access the virtual machine that contained one of Bit9’s digital code-signing certificates. The attackers used this code-signing infrastructure to sign thirty-two malicious files, some of which were then retrieved to be used in subsequent attacks on select organizations in the United States defense industrial base.”
It is said that this group is using tools that originate from network infrastructure based in China.
One team within the group applies throwaway tools along with basic techniques to attack different targets. This squad was dubbedTeam Moudoor after the trojan horse they utilize which also acts as an intelligence collector.
A second squad acts as an elite group and penetrates valuable targets, and referred to as Team Naid by Symantec after the Trojan they use.
Symantec security researcher Vikram Thakur speculates that they are state sponsored as group is an uncommon size.
“Hidden Lynx is unique because it is one of the most organized, sophisticated groups using cutting edge hacking techniques to access information from organizations in some of the most technically advanced countries in the world,” said Thakur.
“The group’s goal is to gain access to information within organizations in some of the wealthiest and most technologically advanced countries across the globe,” according to Symantec’s research paper. “It is unlikely that they can use this information for direct financial gain, and the diversity of the information and number of distinguishable campaigns would suggest that they are contracted by multiple clients. This leads us to believe that this is a professional organization that offers a “hackers for hire” service.”