SECURITY RESPONSE
The Hidden Lynx group is a professional team of attackers
with advanced capabilities.
Follow us on Twitter
@threatintel
Visit our Blog
http://www.symantec.com/connect/symantec-blogs/sr
Hidden Lynx – Professional
Hackers for Hire
Stephen Doherty,
Jozsef Gegeny,
Branko Spasojevic,
Jonell Baltazar
Version 1.0 – September 17, 2013
CONTENTS
OVERVIEW ..................................................................... 3
Background ................................................................... 5
Who are the Hidden Lynx group? .................................. 5
Who are their targets? .................................................. 7
What is their motivation? .............................................. 7
Corporate Espionage ............................................... 8
Attacks against government contractors ................ 8
What are they capable of? ............................................ 8
Subverting trust protection models ........................ 8
Advanced zero-day access .................................... 13
Supply chain attacks ............................................. 14
Conclusion ................................................................... 16
Appendix ..................................................................... 18
Related attacks ...................................................... 18
Resources .................................................................... 25
Symantec Protection ................................................... 26
The Hidden Lynx group is a professional team of attackers with advanced capabilities. They
were responsible for the compromise of security firm Bit9’s digital code-signing certificate
which was used to sign malware. The Bit9 breach was part of the much larger VOHO
campaign and that campaign was just one of many operations undertaken by the group over
the last four years.
The group likely offers a “hackers for hire” operation and is tasked with retrieving specific
information from a wide range of corporate and government targets. They are a highly
efficient team who can undertake multiple campaigns at once, breach some of the world’s
best-protected organizations and can change their tactics quickly to achieve their goal.
They usually attack using multiple customized Trojans designed for specific purposes.
Backdoor.Moudoor is used for larger campaigns and has seen widespread distribution while
Trojan.Naid is reserved for special operations against high value targets. The group uses
cutting-edge attack techniques which makes this team stand out from other major attack
groups.
This paper takes an in-depth look at the Hidden Lynx group, their targets and their
motivations. It will look into their capabilities and attack strategies through their attack
campaigns including the Bit9 incident.
OVERVIEW
A well-known
group with
affiliations to
“Operation
Aurora” managed
to break into Bit9’s
network using
an SQL injection
attack.
BACKGROUND
Page 5
Hidden Lynx – Professional Hackers for Hire
Background
In February 2013, Bit9 released a statement revealing that in July 2012, their network had been compromised by
a malicious third-party. A well-known group named Hidden Lynx with affiliations to “Operation Aurora” managed
to break into Bit9’s network using an SQL injection attack. These Trojans made their way into the defense
industrial sector.
However, the Bit9 compromise was only a small piece of a much larger watering-hole operation known as the
VOHO campaign, which impacted hundreds of organizations in the United States. Further, the VOHO campaign
itself was just one campaign of many that is attributable to this incredibly prolific group. Each campaign is
designed to access information in governmental and commercial organizations that tend to operate in the
wealthiest and most technologically advanced countries in the world.
Who are the Hidden Lynx group?
The Hidden Lynx group has been in operation since at least 2009 and is most likely a professional organization
that offers a “hackers for hire” service. They have the capability to attack many organizations with concurrently
running campaigns. They operate efficiently and move quickly and methodically. Based on these factors, the
Hidden Lynx group would need to be a sizeable organization made up of between 50 and 100 individuals.
The members of this group are experts at breaching systems. They engage in a two-pronged strategy of mass
exploitation and pay-to-order targeted attacks for intellectual property using two Trojans designed specifically
for each purpose:
• Team Moudoor distributes Backdoor.Moudoor, a customized version of “Gh0st RAT”, for large-scale campaigns
across several industries. The distribution of Moudoor requires a sizeable number of people to both breach
targets and retrieve the information from the compromised networks.
• Team Naid distributes Trojan.Naid, the Trojan found during the Bit9 incident, which appears to be reserved
for more limited attacks against high value targets. This Trojan was leveraged for a special operation during
the VOHO campaign and is probably used by a specific team of highly skilled attackers within the group. This
Trojan was also found as part of “Operation Aurora” in 2009.
Much of the attack infrastructure and tools used during these campaigns originate from network infrastructure
in China. The Hidden Lynx group makes regular use of zero-day exploits and has the ability to rework and
customize exploits quickly. They are methodical in their approach and they display a skillset far in advance of
some other attack groups also operating in that region, such as the Comment Crew (also known as APT1). The
Hidden Lynx group is an advanced persistent threat that has been in operation for at least four years and is
breaking into some of the best-protected organizations in the world. With a zero-day attack already under their
belt in 2013, they continue to operate at the leading edge of targeted attacks.
The diverse set
of targets from a
variety of sectors
would indicate
that this group is
not focused on any
one specific task.
WHO ARE THEIR TARGETS?
Page 7
Hidden Lynx – Professional Hackers for Hire
Who are their targets?
Since November 2011, hundreds
of organizations worldwide have
been targeted by the Hidden Lynx
group. These organizations have
remained relatively consistent during
this time period. The group targets
organizations operating in both the
commercial sector and within all
levels of government. The diverse set
of targets from a variety of sectors
would indicate that this group is not
focused on any one specific task. The
group manages concurrent campaigns
in attacks that are global in nature.
The Hidden Lynx group has most
recently conducted attacks against
specific organizations in South Korea
and has a long history of attacking the
defense industrial sector of Western
countries.
The top 10 organizations categorized
by the verticals they belong to are
shown in Figure 1.
The most targeted countries/regions
are shown in Figure 2.
What is their motivation?
This broad range of targeted
information would indicate that the
attackers are part of a professional
organization. They are likely
tasked with obtaining very specific
information that could be used to
gain competitive advantages at both
a corporate and nation state level.
It is unlikely that this organization
engages in processing or using the
stolen information for direct financial
gain. Their mode of operation would
suggest that they may be a private
organization of “hackers for hire”,
who are highly skilled, experienced
professionals whose services are
available for those willing to pay.
Figure 1. Top 10 organizations targeted by the Hidden Lynx group since
November 2011
Figure 2. Countries/regions targeted by the Hidden Lynx group since
November 2011
Page 8
Hidden Lynx – Professional Hackers for Hire
Corporate Espionage
The financial services sector has been identified as the most heavily targeted industry overall. There is a
tendency to target specific companies within this sector. Investment banks and asset management agencies
account for the majority of organizations targeted within this industry. The absence of certain types of financial
institutions, such as those operating as commercial banks, clearly indicates that the attacks are focusing on
specific areas. The organizations involved would have expertise in large corporate deals, such as confidential
information on upcoming mergers and acquisitions, which could be used to gain a competitive edge. Targeting
this sector in such a concentrated fashion could provide invaluable information when negotiating large takeovers
or trading shares on the stock exchange.
Attacks on the financial sector are not limited to investment banks. Stock trading firms and one of the world’s
largest stock exchanges have been subjected to attacks from this group. The Hidden Lynx group has also
undertaken indirect attacks through the supply chains. Organizations that supply hardware, secure network
communications and services specific to the financial sector have also come under attack. There is almost
certainly a financial motivation behind these attacks.
Attacks against government contractors
In attacks that have targeted all levels of government from local to national level, this group has repeatedly
attempted to infiltrate these networks. Attacks against government contractors and, more specifically, the
defense industry indicate that the group is in pursuit of confidential information and suggests that the group
had been working for nation states.
Targeting advanced technologies in specific areas such as aerospace would be useful in order to close
technological gaps or gain knowledge of the advanced capabilities of other nation states. Attacks on
organizations that operate in the Internet services space can provide a wealth of valuable information. The group
had affiliations to “Operation Aurora” (See appendix for more details), a campaign that targeted a number of
organizations including software manufacturers and defense contractors. More recently, Microsoft claimed that
the target was databases containing emails marked for court order wiretaps. They believe that these attacks
were counter-intelligence operations, activities that would provide benefits at a nation state level.
What are they capable of?
The group’s tools, tactics and procedures are innovative and typically cutting-edge. They use custom tools and
techniques that they tailor to meet their objectives and maximize their chance of success. They attack public-
facing infrastructure and have been observed installing highly customized Trojans that are purpose-built for
stealth. They engineered one of the most successful watering-hole attacks to-date. They also undertake spear-
phishing attacks and hack supply chains in order to distribute their custom Trojans. This is an established team
with years of experience. They are well resourced and highly skilled.
The Hidden Lynx group’s advanced capabilities are clearly demonstrated in three major campaigns. In the VOHO
campaign, they showed how they could subvert Bit9’s established trust models. In the FINSHO campaign, they
managed to get advanced knowledge of a zero-day exploit and in the SCADEF operation, they undertook supply
chain attacks to succeed in their campaign.
Subverting trust protection models
The team can adapt rapidly to counter-measures that would otherwise hinder the success of a campaign. The
attack on Bit9 showed how the group could bypass solid trust protection models to get to their targets. However,
this attack was only a small part of the larger VOHO campaign, where the group proved how quickly they can
adapt and change their tactics in the face of new and unforeseen obstacles.
Page 9
Hidden Lynx – Professional Hackers for Hire
The Bit9 incident
Bit9 is a security company headquartered in Waltham, Massachusetts. As an alternative to traditional
signature-based antivirus solutions, Bit9 offers a trust-based security platform that runs off of a cloud-based
reputation service combined with policy-driven
application control and whitelisting to protect against
cyberthreats. As a result, it is difficult for a malicious
third-party to install an untrusted application, such
as a remote access Trojan (RAT), onto a system
that is adequately protected with the Bit9 platform.
Undaunted by this, the elite Hidden Lynx group took
up the challenge.
On February 8 2013, Bit9 released details revealing
that a malicious third-party had gained access to one
of their digital code-signing certificates. During this
incident, a number of Trojans and malicious scripts
were signed. In a follow up post on February 25, more
details of the attack emerged. In July 2012, more than
six months earlier, a malicious third-party gained
access to their network using an SQL injection attack.
Due to an operational oversight, a public-facing
server that wasn’t protected with the Bit9 platform
allowed the attackers to gain unauthorized access.
The attackers installed Backdoor.Hikit, a Trojan
that provides extremely stealthy remote access to
compromised systems. This highly customized Trojan
is typically installed onto servers in the victims’ DMZ,
which was the case at Bit9. Credentials for another
virtual machine were then stolen. These were used
to access the virtual machine that contained one of
Bit9’s digital code-signing certificates. The attackers
used this code-signing infrastructure to sign
thirty-two malicious files. Symantec telemetry
shows some of these files have been present
within select organizations in the United States
defense industrial sector.
The signing of these files is significant, since
they could then be used to circumvent the
trust protection model offered by the Bit9
platform. The Trojans signed include variants
of Backdoor.Hikit (the remote access Trojan
used in the initial compromise) and another
RAT called Trojan.Naid. Some malicious attack
scripts were also signed. Each Trojan has a
specific purpose. Backdoor.Hikit was used to
target public-facing infrastructure while Trojan.
Naid was used to perform highly targeted
attacks through email and watering-holes.
Bit9 was alerted to the compromise in January
2013 and took immediate containment steps
such as revoking the digital signature and
reaching out to their entire customer base.
According to Bit9, the attacks that followed
Figure 3. Trojan.Naid – Bit9 digital certific ate, July 13,
2012, provided by Symantec’s CA
Figure 4. Trojans successfully acquired with command-and-
control (C&C) servers from the Bit9 investigation
Page 10
Hidden Lynx – Professional Hackers for Hire
were not financially motivated, but rather were an attempt to access information. On Bit9’s own admission,
three customers were impacted.
In conjunction with the Bit9 compromise, the Hidden Lynx group had another significant campaign well under
way. They had just concluded phase one of the VOHO campaign, a watering-hole operation orchestrated to
attack organizations in the Boston, Massachusetts area – it was a likely a distribution vector for the newly signed
files.
The VOHO campaign
The VOHO campaign, first publicized by RSA, is one of the
largest and most successful watering-hole attacks to date.
The campaign combined both regional and industry-specific
attacks and predominantly targeted organizations that
operate in the United States. In a rapidly spreading two-
phase attack, which started on June 25 and finished July 18,
nearly 4,000 machines had downloaded a malicious payload.
These payloads were being delivered to unsuspecting
victims from legitimate websites that were strategically
compromised.
This watering-hole infection technique was quite innovative
at the time. In a watering-hole attack, the attacker
compromises a legitimate website that the target uses and
trusts. The attacker then lies in wait for the target to visit
the compromised site in order to infect them. The scale and
targeted nature of the VOHO campaign set it apart from
watering-hole attacks observed in the past. The group first
adopted this technique in December 2011 when an exploit
for the Oracle Java SE Rhino Script Engine Remote Code
Execution Vulnerability (CVE-2011-3544) was leveraged to
distribute their payloads. As a result of their success, many
other strategic compromises have
been adopted by other attack groups,
as seen in a notable attack targeting
iOS developers earlier in 2013 which
impacted employees at Facebook,
Apple and Twitter.
In the VOHO campaign, ten legitimate
websites were strategically
compromised. The attackers carefully
selected these websites based on
the likelihood that the intended
target(s) would visit them during the
exploit delivery phase. The attackers
likely pre-determined who visited
the watering-hole in advance of the
distribution phase of attack. This
could easily be achieved by examining
the access logs of compromised Web
servers. The categories of websites
compromised were both regional
and industry-specific in nature and
targeted the following key areas
illustrated in Figure 5.
Figure 5. The VOHO campaign target regions and
industries
Figure 6. The VOHO campaign malicious activity timeline -
a two-phase attack
Page 11
Hidden Lynx – Professional Hackers for Hire
Timeline of activity
The VOHO watering-hole distributed remote access Trojans in two phases. In phase one of the attack, an Internet
Explorer zero-day vulnerability, the Microsoft XML Core Services CVE-2012-1889 Remote Code Execution
Vulnerability (CVE-2012-1889), was leveraged. On July 10, Microsoft introduced the patch for CVE-2012-1889
and activity at the watering-hole ceased. This appears to have been a clever decision on behalf of the attackers.
If they continued to deliver the exploit, they risked detection and would have hurt their chances of retaining
access to the watering-hole for phase two of the campaign. Within six days, phase two of the distribution began,
this time using a malicious Java applet exploiting the Oracle Java SE CVE-2012-1723 Remote Code Execution
Vulnerability (CVE-2012-1723). This Java exploit was patched at the time. Having already used two zero-day
exploits in quick succession (the first zero-day exploit was used in the GOTHAM campaign in May 2012, see
appendix for more details), the Hidden Lynx group may not have had another one at their disposal.
The timeline of activity at the watering-hole is shown in Figure 6.
In each phase of the attack, two Trojans were being distributed at different intervals. The customized version
of “Gh0st RAT”, Backdoor.Moudoor, saw large-scale distribution in comparison to Trojan.Naid, which was used
more selectively in these attacks.
Before being used in the second phase of the attack, Trojan.Naid was signed with the Bit9 certificate. Moudoor
was never observed during the attack on Bit9, which could indicate that two separate teams are at work
here. With Moudoor and Naid using different command-and-control (C&C) servers, each team could work
independently on alternative objectives. The discovery of the Naid C&C would also be less likely in comparison
to Moudoor’s, as its large-scale distribution would inevitably create more noise as it continued to impact many
organizations.
Figure 7. The VOHO campaign – Trojans distributed and C&C servers used to command and control
Page 12
Hidden Lynx – Professional Hackers for Hire
Team Naid’s role
During this campaign, Team Naid had a very specific objective – to gain access to information from organizations
operating in the defense industrial sector. An unsigned version of Naid was distribute
本文档为【Hidden Lynx-Professional Hackers for Hire】,请使用软件OFFICE或WPS软件打开。作品中的文字与图均可以修改和编辑,
图片更改请在作品中右键图片并更换,文字修改请直接点击文字进行修改,也可以新增和删除文档中的内容。
该文档来自用户分享,如有侵权行为请发邮件ishare@vip.sina.com联系网站客服,我们会及时删除。
[版权声明] 本站所有资料为用户分享产生,若发现您的权利被侵害,请联系客服邮件isharekefu@iask.cn,我们尽快处理。
本作品所展示的图片、画像、字体、音乐的版权可能需版权方额外授权,请谨慎使用。
网站提供的党政主题相关内容(国旗、国徽、党徽..)目的在于配合国家政策宣传,仅限个人学习分享使用,禁止用于任何广告和商用目的。