Symantec Security Response 1

Peter Schjøtt, Symantec Denmark

Hidden Lynx - Professional Hackers for Hire

Who is the Hidden Lynx group?• “Hackers for Hire” established < 2009

• Based in China

• Highly customize tools & access to 0-day exploits

• Pioneered large scale “Watering Hole” attacks (AKA the VOHO Campaign)

• More capable than Comment Crew/APT1

• Proficient, Innovative, Methodical

Symantec Security Response 2

TOOLS

TACT

ICS

PROC

EDUR

ES

Characteristics of Hidden Lynx

Symantec Security Response 3

Well resourced50-100 people

Diverse range of targets

Concurrent campaigns

Can penetrate tough targets

The Two Sides of Hidden Lynx

Same organization but different teams…

Symantec Security Response 4

Team Naid Elite, Precise, SurgicalUses: Trojan.Naid Scope: Special operations (small team)Targets: Information of national interest Examples: Bit9 attack, Operation Aurora

Team Moudoor Skilled, Prolific, IndiscriminantUses: Backdoor.Moudoor (custom “Gh0st RAT”)Scope: Wide scope attacks (large team)Targets: Financial sector, all levels of government, healthcare, education and legal

Motivations

Symantec Security Response 5

Corporate espionage• Investment banks, asset

management & law firms• Stock markets/brokers• Insider information on mergers &

acquisitions• Financially motivated, corporate

advancement, access to trade secrets

MOUDOOR

Government espionage • Government & contractors,

especially in the defense industry

• Seeking access to confidential information of significant interest to nation states

NAID

Who’s Targeted – Verticals

Symantec Security Response 6

18% Educa

tional

25% Financia

l

15% Gove

rnment

12% ICT/I

T

7% Health

care

5% Engineerin

g/Industr

ial

5% Lega

l

5% Media

4% Defense

4% NGO

Hundreds of targets

Dozens of campaigns

Direct/Indirectattacks

52.7% USA

15.5% Taiwan

9% China

4% Hong Kong

3% Japan

2.4% Canada

2.2% Germany

1.7% Russian Federation

1.5% Australia

1.5% Republic of Korea

Who’s Targeted – Top 10 Countries

Symantec Security Response 7

Tools, Tactics and Procedures

• Custom Trojans• Early adopters of watering hole techniques (VOHO)• Spear-phishing• Supply chain attacks

– Trojanizing driver files in the supply chain to infiltrate final targets

• 0-day and known exploits – Since 2011, 5 exploits including 3 0-day exploits

– Including gaining early access to exploit details (Oracle Java CVE-2013-1493)

• Adaptable and resourceful– Stole Bit9 signing certificate to bypass their trust

protection model

• Tell-tale characteristics of a professional and skilled group

Symantec Security Response 8

The Bit9 Attack • A branch of the VOHO campaign• Bit9 offers a trust-based security platform

– Everything signed by Bit9 is trusted and allowed to run

• Initial incursion– SQL injection on Bit9 server (July 2012)

– Installed Backdoor.Hikit as a beach head

• Bit9’s code-signing certificate was compromised– Used to sign 32 malicious binaries, including

Trojan.Naid

– Files used in subsequent attacks against United States defense industry

Symantec Security Response 9

The VOHO Campaign – A Recap • Large watering hole attack on ten strategic websites• A two-phased attack with C&C logs showing 4000+ infections• Started on June 25 and finished July 18, 2012• Exploits

– IE zero-day (CVE-2012-1889)

– Oracle Java (CVE-2012-1723)

• Once the zero-day vulnerability got patched, activities temporarily halted to avoid drawing attention

• Malware– Backdoor.Moudoor & Trojan.Naid

Symantec Security Response 10

Vital Links

Clues that link the campaigns of group Hidden Lynxtogether:• Consistent use of the same two customized Trojans

– Backdoor.Moudoor

– Trojan.Naid

• Use of same C&C server over multiple campaigns• Use of same infected websites for distribution of NAID or

MOUDOOR, depending on victim • Repeated attacks on same set of target organizations

– In particular, finance, government, and IT/ICT organizations

Symantec Security Response 12

Hidden Lynx, conclusion

Symantec Security Response 14

TOP

SECRET

• Active since 2009 with many attack campaigns

• Highly motivated, skilled and efficient

• Used three zero-day vulnerabilities since 2011

• Many different targets, therefore most likely a “Hackers for Hire” service

• Majority of attacks originated through watering hole techniques, but spear phishing & supply chain hacks have also been used

• Usually seeking intellectual property

• Anybody who supplies a targeted organization is a potential victim including IT/ICT, financial and legal service, and manufacturing organizations

Corporate espionage – closer to home

Corporate espionage, closer to home 15

”Vi har altid været klar over, at efterretningstjenesterne og

erhvervslivet i USA arbejder tæt sammen”

Markus Stäidinger, tysk IT-sikkerhedsekspert

Citat fra Børsen, 30. oktober 2013

”Amerikanerne spionerer mod os, også handels- og industrimæssigt, ligesom vi

spionerer mod dem. Det er i vor nationale interesse at forsvare erhvervslivet.”

Bernard Squarcini, fhv. chef for Frankrigs efterretningstjeneste

Citat fra Børsen, 25. oktober 2013

Last words…

• The described ”Hidden Lynx” group not the only ”Hackers for hire” – although one of the most skilled and professional

• Hacker(s) for Hire – many exists• Hacker(s) for hire a threat to your business

• Threat does not disappear -> should you adjust your Risk Assessment?

Hackers for hire – last words 16

How to get more information

Bloghttp://www.symantec.com/connect/symantec-blogs/sr

Twitterhttp://twitter.com/threatintel

Whitepapershttp://www.symantec.com/security_response/whitepapers.jsp

Symantec Security Response 17

Thank you!

Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Symantec Security Response 18