Researchers from Symantec Corp. have pinned some of the biggest and most brazen cyberattacks in recent years, including the compromise of endpoint security vendor Bit9 and possibly Operation Aurora, on a single China-based hacking group.
The group, dubbed "Hidden Lynx," has between 50 to 100 members, according to Symantec's report. Unlike the Chinese People's Liberation Army's Comment Crew, the organization highlighted in the Mandiant Corp. APT1 report earlier this year, Symantec has been unable to find any formal links between Hidden Lynx and the Chinese government. Instead, Symantec speculated the group may be "hackers for hire," due to their targeting of organizations in a wide variety of business sectors across the globe.
Hidden Lynx is seemingly split into two teams based on the Trojan each is purported to use. One uses the Moudoor Trojan, a customer version of "Gh0st RAT" for larger attack campaigns, while the other utilizes the Naid Trojan for higher-value targets. Symantec characterized the group's tactics as "cutting-edge," with customized tools and Trojans used in many of its operations for the stealth purposes. Several zero-day exploits have been deployed by the group, and Symantec noted their ability to rework exploits quickly as part of an attack.
Symantec's report indicated Hidden Lynx has been active since at least 2009, which is the year the Operation Aurora attack campaign was launched against Google and dozens of other tech firms; the security vendor now believes that Hidden Lynx may have been behind Aurora. At the time, Symantec confirmed victims were infected via the Hydraq Trojan, which allowed the attackers to enter corporate networks via a backdoor installed on victims' machines. Considering, Aside from Aurora, Symantec confirmed the hacker group has spearheaded several successful attack campaigns in recent years, including VOHO, FINSHO and SCADEF.
Perhaps the most well-known target of the VOHO campaign was Waltham, Mass.-based Bit9, who confirmed in February that its digital code-signing certificates had been compromised by malicious actors. The attackers, now referred to as Hidden Lynx by Symantec, utilized a SQL injection attack to gain access to one of the company's servers, which, ironically, was not protected by Bit9's own security products. Once in the network, the hacker group went about its seemingly customary routine of installing a customized Trojan -- Backdoor.Hikit -- which they used to sign a total 32 malicious certificates that were then part of subsequent attacks on U.S. defense companies.
The compromise of Bit9 was just one small part of VOHO, which Symantec has now revealed to be one of the largest watering-hole attack campaigns to date. Between June 25 and July 28 of 2012, the group was able to deliver malicious payloads to nearly 4,000 machines via 10 legitimate websites they had compromised. Symantec speculated Hidden Lynx compromised the Web servers of the target sites first so they could examine the access logs; with that information in hand, the group could determine which of their actual targets would likely visit those sites during the exploit delivery phase.
Armed with Bit9's certificates and a Java exploit that was newly built for the delivery of the Trojan, the Naid team was able to successfully compromise three of its target organizations during a three-day period, all of which were being protected by Bit9's security products.
Symantec's report said the VOHO campaign serves to highlight the increasing sophistication of targeted attacks, with the company noting that Hidden Lynx is continuing to forge ahead with new attack methods while other groups adopt their techniques.
"With a growing number of threat actors participating in these campaigns, organizations have to understand that sophisticated attackers are working hard to bypass each layer of security," according to the Symantec report. "It's no longer safe to assume that any one solution will protect a company's assets. A variety of solutions need to be combined and, with a better understanding of the adversary, tailored to adequately protect the information of most interest to the attackers."