Hidden Lynx: Chinese Hackers Hit Bit9 And Hundreds More

Crew that hit Bit9 earlier this year is based in China and continues to wreak havoc across the world, say researchers

A Chinese hackers-for-hire group responsible for a serious attack on security company Bit9 in February had been attacking hundreds of other businesses and government bodies over recent years, according to researchers.

It is believed the group got access to Bit9’s trusted file signing infrastructure, with subsequent attacks targeting US defence contractors who were using Bit9 technology. Having found it too difficult to breach the defence companies’ own systems, they found a supplier was their best way in.

China © Stephen Finn, Shutterstock 2012The group, operating since at least 2009, has affiliations with Operation Aurora, which waged war against major US corporations including Google, Symantec said.

Bit9 hack just one of many

Symantec has called the hacking collective Hidden Lynx, saying it likely consists of 50 to 100 operatives, who have attacked “hundreds of different organisations in many different regions”.

“The Bit9 compromise was only a small piece of a much larger watering-hole operation known as the VOHO campaign, which impacted hundreds of organizations in the United States,” security researchers said in their report.

“Further, the VOHO campaign itself was just one campaign of many that is attributable to this incredibly prolific group. Each campaign is designed to access information in governmental and commercial organisations that tend to operate in the wealthiest and most technologically advanced countries in the world.”

The VOHO campaign, initially detailed by RSA, saw a host of websites compromised in order to chuck malware at targets’ machines.

Hidden Lynx consists of two divisions, which use separate command and control infrastructures. Team Moudoor leads the mass infection side, with a modified version of Gh0st RAT. Team Naid is an elite group that focuses on particularly well protected targets. The Naid Trojan was used in the Bit9 attacks and was seen in Operation Aurora.

The attackers have access to fresh zero-day exploits and are even more skilled than the Comment Crew, otherwise known as APT1, which also hails from China.  Symantec believes Hidden Lynx has been employed by nation states too.

The majority of the group’s targets are in education, finance and government industries, with 53 percent based in the US. Just 1.3 percent of attacks since 2011 hit UK entities, compared to nine percent in China and 15.5 percent in Taiwan.

Most recently, Hidden Lynx has been spotted attacking organisations in South Korea.

“We expect these attackers to be involved in many more high profile campaigns in the coming years. They will continue to adapt and innovate,” Symantec added. “They will continue to provide information servicing interests at both a corporate and state level.”

Bit9 had not responded to a request for comment at the time of publication.

How much do you know about information security? Try our quiz and find out!