Security researchers have linked the “Hackers for hire” Hidden Lynx Group with a number of high-profile attacks, including an assault on net security firm Bit9, as well as the notorious Operation Aurora assault against Google and other hi-tech firms back in 2009.
Hidden Lynx is a sophisticated hacking group based in China and made of up of between 50 to 100 individuals, according to Symantec. The hackers provide "full service" as well as "customised" cyber-espionage attacks against corporate and government targets, claims the security firm. Its favoured tactics include compromising third-party sites frequented by individuals from targeted organisations with malicious code.
Such so-called watering hole attacks are an easier way to go after marks than hacking into the websites of defence contractors, government organisations and other targets directly. The group, which has operated for more than three years, has used zero-day exploits three times since 2011 alone, says Symantec.
The researchers believe the group compromised security firm Bit9’s digital code-signing certificate as part of a stepping-stone attack ultimately aimed at defence industry customers of the net security firm's whitelisting technology.
Hidden Lynx also has affiliations to Operation Aurora, the 2009 mass break-in to more than 30 big technology companies, including Google and Adobe, the security firm claims.
"This group has a hunger and drive that surpass other well-known groups such as APT1/Comment Crew," Symantec concludes in a blog post that praises the group for its "technical prowess", resourcefulness and patience in running multiple attacks.
The group's main targets include IT firms, defence and aeronautics contractors, energy sector, finance, healthcare and governments in multiple countries including the US, Taiwan and Japan. More than half the attacks linked to the group were thrown against US organisations.
Hidden Lynx "engage in a two-pronged strategy of mass exploitation and pay-to-order targeted attacks for intellectual property using two Trojans designed specifically for each purpose", according to Symantec. Team Moudoor, a sub-group of Hidden Lynx, distributes Moudoor, a customised version of the “Gh0st RAT” Trojan, for large-scale campaigns.
Another sub-group, Team Naid, distributes the Naid Trojan, which appears to be reserved for more limited attacks against high value targets. Naid has been linked to the Bit9 incident.
More on Hidden Lynx (whose name is derived from a string found in command-and-control server communications) is available in a whitepaper published on Tuesday (PDF). ®