Symantec Security Response 1
Peter Schjøtt, Symantec Denmark
Hidden Lynx - Professional Hackers for Hire
Who is the Hidden Lynx group?• “Hackers for Hire” established < 2009
• Based in China
• Highly customize tools & access to 0-day exploits
• Pioneered large scale “Watering Hole” attacks (AKA the VOHO Campaign)
• More capable than Comment Crew/APT1
• Proficient, Innovative, Methodical
Symantec Security Response 2
TOOLS
TACT
ICS
PROC
EDUR
ES
Characteristics of Hidden Lynx
Symantec Security Response 3
Well resourced50-100 people
Diverse range of targets
Concurrent campaigns
Can penetrate tough targets
The Two Sides of Hidden Lynx
Same organization but different teams…
Symantec Security Response 4
Team Naid Elite, Precise, SurgicalUses: Trojan.Naid Scope: Special operations (small team)Targets: Information of national interest Examples: Bit9 attack, Operation Aurora
Team Moudoor Skilled, Prolific, IndiscriminantUses: Backdoor.Moudoor (custom “Gh0st RAT”)Scope: Wide scope attacks (large team)Targets: Financial sector, all levels of government, healthcare, education and legal
Motivations
Symantec Security Response 5
Corporate espionage• Investment banks, asset
management & law firms• Stock markets/brokers• Insider information on mergers &
acquisitions• Financially motivated, corporate
advancement, access to trade secrets
MOUDOOR
Government espionage • Government & contractors,
especially in the defense industry
• Seeking access to confidential information of significant interest to nation states
NAID
Who’s Targeted – Verticals
Symantec Security Response 6
18% Educa
tional
25% Financia
l
15% Gove
rnment
12% ICT/I
T
7% Health
care
5% Engineerin
g/Industr
ial
5% Lega
l
5% Media
4% Defense
4% NGO
Hundreds of targets
Dozens of campaigns
Direct/Indirectattacks
52.7% USA
15.5% Taiwan
9% China
4% Hong Kong
3% Japan
2.4% Canada
2.2% Germany
1.7% Russian Federation
1.5% Australia
1.5% Republic of Korea
Who’s Targeted – Top 10 Countries
Symantec Security Response 7
Tools, Tactics and Procedures
• Custom Trojans• Early adopters of watering hole techniques (VOHO)• Spear-phishing• Supply chain attacks
– Trojanizing driver files in the supply chain to infiltrate final targets
• 0-day and known exploits – Since 2011, 5 exploits including 3 0-day exploits
– Including gaining early access to exploit details (Oracle Java CVE-2013-1493)
• Adaptable and resourceful– Stole Bit9 signing certificate to bypass their trust
protection model
• Tell-tale characteristics of a professional and skilled group
Symantec Security Response 8
The Bit9 Attack • A branch of the VOHO campaign• Bit9 offers a trust-based security platform
– Everything signed by Bit9 is trusted and allowed to run
• Initial incursion– SQL injection on Bit9 server (July 2012)
– Installed Backdoor.Hikit as a beach head
• Bit9’s code-signing certificate was compromised– Used to sign 32 malicious binaries, including
Trojan.Naid
– Files used in subsequent attacks against United States defense industry
Symantec Security Response 9
The VOHO Campaign – A Recap • Large watering hole attack on ten strategic websites• A two-phased attack with C&C logs showing 4000+ infections• Started on June 25 and finished July 18, 2012• Exploits
– IE zero-day (CVE-2012-1889)
– Oracle Java (CVE-2012-1723)
• Once the zero-day vulnerability got patched, activities temporarily halted to avoid drawing attention
• Malware– Backdoor.Moudoor & Trojan.Naid
Symantec Security Response 10
Vital Links
Clues that link the campaigns of group Hidden Lynxtogether:• Consistent use of the same two customized Trojans
– Backdoor.Moudoor
– Trojan.Naid
• Use of same C&C server over multiple campaigns• Use of same infected websites for distribution of NAID or
MOUDOOR, depending on victim • Repeated attacks on same set of target organizations
– In particular, finance, government, and IT/ICT organizations
Symantec Security Response 12
Hidden Lynx, conclusion
Symantec Security Response 14
TOP
SECRET
• Active since 2009 with many attack campaigns
• Highly motivated, skilled and efficient
• Used three zero-day vulnerabilities since 2011
• Many different targets, therefore most likely a “Hackers for Hire” service
• Majority of attacks originated through watering hole techniques, but spear phishing & supply chain hacks have also been used
• Usually seeking intellectual property
• Anybody who supplies a targeted organization is a potential victim including IT/ICT, financial and legal service, and manufacturing organizations
Corporate espionage – closer to home
Corporate espionage, closer to home 15
”Vi har altid været klar over, at efterretningstjenesterne og
erhvervslivet i USA arbejder tæt sammen”
Markus Stäidinger, tysk IT-sikkerhedsekspert
Citat fra Børsen, 30. oktober 2013
”Amerikanerne spionerer mod os, også handels- og industrimæssigt, ligesom vi
spionerer mod dem. Det er i vor nationale interesse at forsvare erhvervslivet.”
Bernard Squarcini, fhv. chef for Frankrigs efterretningstjeneste
Citat fra Børsen, 25. oktober 2013
Last words…
• The described ”Hidden Lynx” group not the only ”Hackers for hire” – although one of the most skilled and professional
• Hacker(s) for Hire – many exists• Hacker(s) for hire a threat to your business
• Threat does not disappear -> should you adjust your Risk Assessment?
Hackers for hire – last words 16
How to get more information
Bloghttp://www.symantec.com/connect/symantec-blogs/sr
Twitterhttp://twitter.com/threatintel
Whitepapershttp://www.symantec.com/security_response/whitepapers.jsp
Symantec Security Response 17
Thank you!
Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Symantec Security Response 18