Hidden Lynx: Chinese Hackers Hit Bit9 And Hundreds More

A Chinese hackers-for-hire group responsible for a serious attack on security company Bit9 in February had been attacking hundreds of other businesses and government bodies over recent years, according to researchers.

It is believed the group got access to Bit9’s trusted file signing infrastructure, with subsequent attacks targeting US defence contractors who were using Bit9 technology. Having found it too difficult to breach the defence companies’ own systems, they found a supplier was their best way in.

The group, operating since at least 2009, has affiliations with Operation Aurora, which waged war against major US corporations including Google, Symantec said.

Bit9 hack just one of many

Symantec has called the hacking collective Hidden Lynx, saying it likely consists of 50 to 100 operatives, who have attacked “hundreds of different organisations in many different regions”.

“The Bit9 compromise was only a small piece of a much larger watering-hole operation known as the VOHO campaign, which impacted hundreds of organizations in the United States,” security researchers said in their report.

“Further, the VOHO campaign itself was just one campaign of many that is attributable to this incredibly prolific group. Each campaign is designed to access information in governmental and commercial organisations that tend to operate in the wealthiest and most technologically advanced countries in the world.”

The VOHO campaign, initially detailed by RSA, saw a host of websites compromised in order to chuck malware at targets’ machines.

Hidden Lynx consists of two divisions, which use separate command and control infrastructures. Team Moudoor leads the mass infection side, with a modified version of Gh0st RAT. Team Naid is an elite group that focuses on particularly well protected targets. The Naid Trojan was used in the Bit9 attacks and was seen in Operation Aurora.

The attackers have access to fresh zero-day exploits and are even more skilled than the Comment Crew, otherwise known as APT1, which also hails from China.  Symantec believes Hidden Lynx has been employed by nation states too.

The majority of the group’s targets are in education, finance and government industries, with 53 percent based in the US. Just 1.3 percent of attacks since 2011 hit UK entities, compared to nine percent in China and 15.5 percent in Taiwan.

Most recently, Hidden Lynx has been spotted attacking organisations in South Korea.

“We expect these attackers to be involved in many more high profile campaigns in the coming years. They will continue to adapt and innovate,” Symantec added. “They will continue to provide information servicing interests at both a corporate and state level.”

Bit9 had not responded to a request for comment at the time of publication.

How much do you know about information security? Try our quiz and find out!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago