Elite Chinese Cyberspy Group Behind Bit9 Hack

Professional, for-hire 'Hidden Lynx' gang steals intellectual property on-demand -- mostly from U.S.-based targets

Dark Reading logo in a gray background | Dark Reading

A more elite and sophisticated cybersespionage group out of China was behind the breach and ultimate theft of security firm Bit9's digital code-signing certificates, which later were used to target some Bit9 customers, according to new research from Symantec.

The so-called "Hidden Lynx" cyberspy gang has waged targeted attacks since at least 2009. Attacks included water-holing campaigns in which they injected malware into legitimate websites likely frequented by their targeted industries and then sifted out their true targets, mainly from financial services firms in the U.S. Symantec says the gang was behind the VOHO water-holing attacks in June 2012, when the attackers also broke into an internal Bit9 server to gain access to the firm's file-signing infrastructure in order to sign malware. The gang is also tied to Operation Aurora, which targeted Google, Intel, Adobe, and other major U.S. firms, that was revealed in 2010.

Bit9 this spring revealed details on the breach, which resulted in attacks against three of its customers. The security firm confessed that an "operational oversight" led to the breach, with a virtual system on its network running without the company's own whitelisting software. Harry Sverdlove, chief technology officer at Bit9, revealed that the initial compromise dated back to July 2012 via a SQL injection attack on one of its Internet-facing Web servers; the breach was discovered in January of this year.

Symantec says three defense industrial base organizations were attacked by Hidden Lynx, but they were Symantec customers, not Bit9 customers.

"On our side, we got samples from three different organizations all in the defense supply sector ... these were customers of ours who were at the targeted end of this attack. We don't know if they got breached or infected" by the malware, but the customers provided the samples to Symantec, says Vikram Thakur, a researcher with Symantec Security Response.

Says a Bit9 spokesperson regarding its customers that were attacked in the wake of its breach: "The customers were not government or military entities, nor were they defense contractors or otherwise part of the DIB."

Bit9 has stopped short of providing any details on its customers who were targeted. In an interview with Dark Reading earlier this year, Sverdlove said Bit9 had to hold back some intelligence because it would have inadvertently helped identify one of its customers as a target. "Certainly, the attack was a larger campaign. There was evidence of the actual purpose and long-term purpose, but we were careful not to share information that would [expose] customers," Sverdlove said.

[RSA, Microsoft, and Bit9 executives share insights on how the high-profile targeted breaches they suffered have shaped things. See Security Vendors In The Aftermath Of Targeted Attacks.]

Hidden Lynx differs from other Chinese APTs, such as APT1/Comment Crew: They appear to operate on a for-hire basis, hacking specific targets for their clients who commission them, according to Symantec, which published a whitepaper on the group and its attack methods yesterday.

The group also employs "cutting edge" attack techniques, according to Symantec, including zero-day exploits and custom Trojans created for specific jobs. One Hidden Lynx team uses the Backdoor.Moudoor Trojan for the first phase attacks -- large, widespread attacks via water-holing and other methods. A second team uses Trojan.Naid, a less-prolific piece of malware, for infecting the actual targets that are sifted from the overall infected victims.

"We've seen them using water-holing like nobody else has. They use zero days to get people infected, and ... then certain portions of the victims are siphoned off to a totally different Trojan [Naid] of a smaller magnitude," Thakur says. "We've not seen that before" with APTs, he says.

It's unclear whether the group is directly employed by the Chinese government, but their infrastructure is based in China, says Vikram Thakur, principal security response manager and researcher with Symantec Security Response. "They do have an authority sitting above them. The reason we know this is because they don't just go after one type of data. By itself, that is quite striking ... They don't seem to have a fixed mandate, so they are able to channel all sorts of stolen information to somebody else. Someone is telling them what needs to be done."

Symantec estimates that group ranges from 50 to 100 individuals targeting hundreds of different targets, 24.6 percent of which are in the financial industry, 17.41 percent in education, 15.08 percent in government, 12.39 percent in ICT/IT, 6.64 percent in engineering, as well as about 4 to 5 percent in industries such as defense, engineering, and media.

Nearly 53 percent of the targeted organizations with infections are in the U.S., followed by Taiwan (15.3 percent) and China (9 percent), so Symantec says U.S. firms are by far the main targets. Other nations with miniscule infections likely were collateral damage, such as a U.S. user traveling in that nation. "They steal on demand, whatever their clients are interested in, hence the wide variety and range of targets," according to a Symantec blog post.

Thakur says victims of the first Trojan are infected for at most about a week, when the attackers sift through the specific targets, likely at the behest of their contractors. "Moudoor is more popular, and most people are looking for it," so it's used in the initial attack, he says. That then masks the second-day infection from the lesser-known Naid Trojan, he says.

The Hidden Lynx gang is going after intelligence on government business deals and planned talking points in diplomacy engagements, he says. "They want real intelligence from the physical world," he says.

The group was also behind the infamous VOHO water-holing attacks that focused on organizations in Boston, infecting 4,000 machines via 10 legitimate websites the attackers had injected with malware, as well as other attack campaigns against energy, and an attack that included a Trojan-laden Intel driver application that infected manufacturers and suppliers of military-grade computers.

Symantec's full report on Hidden Lynx is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights