Internet security researchers at Symantec have just published an analysis of one of the leading hacking groups that have been classified as “Advanced Persistent Threats”. The “Hidden Lynx” group has been credited with the mass break-in on tech companies such as Google and Adobe that occurred in 2009. Since 2011, the group has targeted hundreds of organizations, primarily in the United States, but with a significant fraction directed against organizations in Taiwan.
The Symantec report suggests that in contrast to such groups as the Comment Crew, also known as APT1 and as “Byzantine Candor” within the intelligence community (and widely suspected to be PLA Unit 61398, based in Shanghai, China) the Hidden Lynx teams are hackers for hire. Their primary target has been on the financial services industry, but they have devoted considerable attention to government and military contractors. In their campaigns, the Hidden Lynx group has attacked so-called “Watering Holes”, which are often locally focused websites with weak security that may be used or visited by users from the organizations they are targeting. In their attack on bit9, they subverted the company’s trust based anti-virus model, signing their trojans with the company’s certificates to give them an edge against other targets who were relying on bit9 trust architecture for protection.
“Hidden Lynx” runs multiple attack campaigns at any given time, and their level of sophistication combined with the ability to construct and run their own tools against this many targets lead the Symantec researchers to assess that the group has at least 50-100 members.
-Dan Gifford MCySec Media Manager/ Graduate Research Assistant.