Made of up 50 to 100 individuals, Hidden Lynx provides full-service and customized attacks methods – including leveraging zero-day exploits and watering hole attacks – to carry out specific tasks of retrieving information from a wide range of corporate and government targets. According to Symantec, which has published a paper on the group, Hidden Lynx has the ability to breach some of the world’s best-protected organizations using cutting-edge attack techniques and has gone after highly protected computers in the defense industrial base.
Most significantly, Symantec alleges this group compromised security firm Bit9’s digital code-signing certificate as a stepping stone strategy to first compromise interim targets before reaching the ultimate marks in the defense industrial base.
“These attributes are shown by the relentless campaigns waged against multiple concurrent targets over a sustained period of time,” Symantec laid out, in a blog. “They are the pioneers of the watering hole technique used to ambush targets, they have early access to zero-day vulnerabilities, and they have the tenacity and patience of an intelligent hunter to compromise the supply chain to get at the true target.”
Symantec noted that these supply chain attacks are carried out by infecting computers at a supplier of an intended target and then waiting for the infected computers to be installed and call home. “Clearly these are cool calculated actions rather than impulsive forays of amateurs,” it explained.
Symantec said that the group has a sophisticated internal structure; the operatives are organized into at least two distinct teams both tasked with carrying out different activities using different tools and techniques. The types of APT attacks that Hidden Lynx carries out require time and effort, and some of the campaigns require research and intelligence gathering before any successful attacks can be mounted. The division of labor becomes necessary to mount attacks of the magnitude that this group undertakes.
One team uses disposable tools along with basic but effective techniques to attack many different targets. They may also act as intelligence collectors too. Symantec has dubbed them Team Moudoor, after the name of the back door trojan that the team uses liberally without worry about discovery by security firms.
The other team acts like a special operations unit, elite personnel used to crack the most valuable or toughest targets. Team Naid is named after a trojan that it uses sparingly and with care to avoid detection and capture, “like a secret weapon that is only used when failure is not an option.”
Symantec said that it has followed Hidden Lynx attacks since 2011, and has observed at least six significant campaigns by this group. The most notable of these campaigns is the VOHO attack campaign of June 2012, which used a watering hole attack technique and the aforementioned compromise of Bit9’s trusted file signing infrastructure.
“The VOHO campaign was ultimately targeting US defense contractors whose systems were protected by Bit9’s trust-based protection software, but when the Hidden Lynx attackers’ progress was blocked by this obstacle, they reconsidered their options and found that the best way around the protection was to compromise the heart of the protection system itself and subvert it for their own purpose,” Symantec explained. “This is exactly what they did when they diverted their attention to Bit9 and breached their systems. Once breached, the attackers quickly found their way into the file signing infrastructure that was the foundation of the Bit9 protection model, they then used this system to sign a number of malware files and then these files were used in turn to compromise the true intended targets.”
The stepping-stone strategy is notable. Bit9 publicly acknowledged the incident on February 8, 2013, after first informing its customer base. Bit9 director of corporate communications Kevin Flanagan told Infosecurity, "We stated in the Feb. 25 blog, and I confirm now, that the customers were not government or military entities nor were they defense contractors or otherwise part of the DIB.”
Symantec also confirmed that Hidden Lynx has affiliations with Operation Aurora, the 2009–2010 Internet Explorer attack against Google and other technology companies. Operation Aurora was a coordinated attack which included a piece of computer code that exploited a Microsoft Internet Explorer vulnerability to gain access to computer systems. This exploit was then extended to download and activate malware within the systems. The watering hole attack, which was initiated surreptitiously when targeted users accessed a malicious webpage (likely because they believed it to be reputable), ultimately connected those computer systems to a remote server. That connection was used to steal company intellectual property and, according to Google, additionally gain access to user accounts.
With technical prowess and agility, Symantec called Hidden Lynx the best of breed, and sure to keep CIOs up at night: “This group has a hunger and drive that surpass other well-known groups such as APT1/Comment Crew.”