State-Sponsored Hacker Gang Has a Side Gig in Fraud

An elite group of nation-state hackers running roughshod through the financial sector and other industries in the U.S. has pioneered techniques that others are following, and has used sophisticated methods to go after hardened targets, including hacking a security firm to undermine the security service the company provided its clients.
Image may contain Tape Diagram and Plot
Courtesy of Symantec

An elite group of nation-state hackers running roughshod through the financial sector and other industries in the U.S. has pioneered techniques that others are following, and has used sophisticated methods to go after hardened targets, including hacking a security firm to undermine the security service the company provided its clients.

The highly professional group, dubbed Hidden Lynx, has been active since at least 2009, according to security firm Symantec, which has been tracking the group for some time. Hidden Lynx regularly uses zero-day exploits to bypass countermeasures they encounter. And, unusually for a government-sponsored effort, the gang appears to have a sideline staging financially motivated attacks against Chinese gamers and file-sharers.

Symantec believes the group is 50-100 people strong, given the extent of its activities and the number of hacking campaigns its members maintain concurrently.

"They are one of the most well-resourced and capable attack groups in the targeted threat landscape," Symantec writes in a report released today (.pdf). "They use the latest techniques, have access to a diverse set of exploits and have highly customized tools to compromise target networks. Their attacks, carried out with such precision on a regular basis over long periods of time, would require a well-resourced and sizeable organization."

The group has targeted hundreds of organizations -- about half of the victims are in the U.S. -- and has succeeded in breaching some of the most secure and best-protected organizations, according to Symantec. After the U.S., the largest numbers of victims are in China and Taiwan; recently the group has focused on targets in South Korea.

Attacks against government contractors and, more specifically, the defense industry suggest the group is working for agencies of a nation-state or states, Symantec says, and the diversity of the targets and information they're after suggest "they are contracted by multiple clients." Symantec notes that the group is primarily engaged in state-sponsored hacking, but the hacker-for-hire service conducted on the side for profit is significant.

The attackers use sophisticated techniques and display skills that are far in advance of the Comment Crew and other groups recently exposed. The Comment Crew is a group that numerous security firms have been tracking for years but got attention earlier this year when the New York Times published an extensive report tying them to the Chinese military.

The Hidden Lynx group pioneered so-called "watering hole attacks" whereby malicious actors compromise web sites frequented by people in specific industries so that their computers are infected with malware when they visit the sites. The hacking group began using the technique more than three years ago, before it became popularized by other groups last year. In some cases they maintained a persistent presence on compromised sites for two to five months.

"These are exceptionally long periods of time to retain access to compromised servers for payload distribution of this nature," says Liam O'Murchu, manager of security response operations for Symantec.

Many of the tools they use as well as their infrastructure originate from China. The command-and-control servers are also hosted in China.

“We don’t know the people who are operating this,” says O’Murchu, “we can just say there are an awful lot of indicators to China here.”

The group has a small connection to Operation Aurora, the group, said to be from China, that hacked Google in 2010 along with about thirty other companies. According to Symantec, they use one of the same Trojans that was used by that group.

"It's very unusual because the Trojan is unique," says O'Murchu. "We don't see it used elsewhere. The only place we see it used is in those [Aurora] attacks and this group."

O’Murchu says there may be more connections between the groups but Symantec hasn’t found any so far.

The group uses dynamic DNS to rapidly switch command-and-control servers to hide their tracks and recompiles their backdoors frequently to keep a step ahead of detection. They also switch out zero-day exploits when one is discovered. For example when one zero-day vulnerability gets patched by a vendor, they've immediately swapped out the exploit attacking it for a new one attacking a different zero-day vulnerability.

In at least one interesting case, it appears the attackers gained knowledge of a zero-day exploit against an Oracle vulnerability around the same time that Oracle learned of it. The exploit was almost identical to what Oracle provided customers to test their systems.

"We don’t know what’s going on there, but we know that the information that was released from Oracle regarding the exploit is almost identical to the information that the attackers used in their exploit before that information was released," says O'Murchu. "Something is fishy there. We don’t know how they got that information. But it’s very unusual to have the vendor release attack information and have the attacker already using the information."

But their boldest attack so far targeted Bit9, which they hacked just to obtain the means to hack other targets, O'Murchu says. In this, they resemble the hackers that penetrated RSA security in 2010 and 2011. In that case, hackers targeting defense contractors went after RSA security in an attempt to steal information that would allow them to undermine the RSA security tokens that many defense contractors use to authenticate workers to their computer networks.

Bit9, based in Massachusetts, provides a cloud-based security service that uses whitelisting, trusted application control and other methods to defend customers against threats, making it difficult for an intruder to install an untrusted application on a Bit9 customer’s network.

The attackers first broke into the network of a defense contractor, but after finding that a server they wanted to access was protected by Bit9’s platform, they decided to hack Bit9 to steal a signing certificate. The certificate allowed them to sign their malware with the Bit9 certificate to bypass the defense contractor’s Bit9 protections.

The Bit9 attack, in July 2012, used SQL injection to gain access to a Bit9 server that wasn't protected by Bit9's own security platform. The hackers installed a custom backdoor and stole credentials for a virtual machine that gave them access to another server that had a Bit9 code-signing certificate. They used the certificate to sign 32 malicious files that were then used to attack defense contractors in the U.S. Bit9 later revealed that at least three of its customers were affected by the breach.

In addition to defense contractors, the Hidden Lynx group has targeted financial sector, which makes up the largest group of victims attacked by the group, as well as the education sector, government and the technology and IT sectors.

They’ve targeted stock trading firms and other companies in the financial sector, including "one of the world's largest stock exchanges." Symantec won't identify the latter victim, but O'Murchu says that in these attacks it appears they’re not going after victims to steal money from their stock trading accounts but are likely seeking information about business deals and more complicated financial transactions that are in the works.

O'Murchu didn't identify the victims, but one recent hack that matches this description involved a 2010 breach into the parent company that operates the Nasdaq stock exchange. In that hack, the intruders gained access to a web application used by company CEOs to exchange information and set up meetings.

The Hidden Lynx group has also gone after the supply chain, targeting companies that supply hardware and secure network communications and services for the financial sector.

In another campaign, they went after manufacturers and suppliers of military-grade computers who were targeted with a Trojan installed in an Intel driver application. Symantec notes that the attackers likely compromised a legitimate web site where the driver application was available for download.

Aside from the nation-state hacking activity, Hidden Lynx appears to operate a hacker-for-hire group that penetrates some victims -- primarily in China - for financial gain. O'Murchu says the group has targeted peer-to-peer users in that country as well as gaming sites. The latter kinds of hacks are generally conducted with the intent of stealing a player's assets or game money.

"We see that as an unusual aspect of this group," O'Murchu says. "They definitely go after difficult-to-get-into targets like defense contractors, but we we them also trying to make money. We see that they use Trojans that are specifically coded to steal gaming credentials, and normally the threats to steal gaming credentials are used for money. It’s unusual. Normally, we see these guys working for the government and ... stealing intellectual property or trade secrets, but this one they are doing that but they are also trying to make money on the side."

The group has left clearly identifiable fingerprints over the last two years that allowed Symantec to trace their activity and connect different attacks.

O'Murchu thinks the group hasn't wanted to spend time covering its tracks, instead focusing on penetrating companies and maintaining a persistent hold on them.

"Hiding your tracks and being careful to be exposed can actually consume a large amount of time in these sorts of attacks," he says. "It could be they just don’t want to spend that much time to time to cover their tracks."