BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Hackers for hire: Group in China linked to big cyber attacks

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 18 Sep 2013 02:41:32 -0600
http://www.scmp.com/news/china/article/1312131/hackers-hire-group-china-linked-big-cyber-attacks

Researchers have discovered a group of highly sophisticated hackers
operating for hire out of China, a US computer security company said on
Tuesday, and it linked them to some of the best-known espionage attacks in
recent years.

Symantec said the group, which it dubbed “Hidden Lynx,” was among the most
technically advanced of several dozen believed to be running cyber
espionage operations out of China. Unlike a previous report by another
company, Symantec did not accuse the Chinese government of involvement in
the cyber attacks.

Symantec’s 28-page report described Hidden Lynx as a “professional
organisation” staffed by between 50 and 100 people with a variety of skills
needed to breach networks and steal information, including valuable
corporate secrets.

The company said its researchers believed Hidden Lynx might have been
involved with the 2009 Operation Aurora attacks, the most well-known cyber
espionage campaign uncovered to date against US companies

In Operation Aurora, hackers attacked Google, Adobe Systems and dozens of
other companies. Google in January 2010 disclosed the attacks, in which
hackers tried to read Gmail communications of human rights activists and to
access and change source code at targeted companies.

Dmitri Alperovitch, the researcher who named Operation Aurora in February
2010 when he was the first to uncover key details about the attacks, said
he believed that Symantec’s conclusions were generally accurate.

Alperovitch, who is chief technology officer at the cyber security firm
CrowdStrike, said his company has also linked Operation Aurora to other
attacks by the same group including a high-profile breach at EMC Corp’s RSA
security company in 2011. CrowdStrike has not publicly shared details about
the group, which it calls Aurora Panda, because the firm makes money by
selling proprietary research to clients, he said.

Symantec researcher Liam O’Murchu said his company could not determine
which individuals were behind Hidden Lynx or if it was linked to the
Chinese government.

Alperovitch said, however, that CrowdStrike believes the group works solely
for the Chinese government and state-owned enterprises. “Whether they are
formally a military unit or a defence contractor, that is unknown,” he
added.

A separate study released in February from Mandiant, another firm that
closely follows Chinese hackers, said a secret unit of the Chinese military
was engaged in cyber espionage on American companies. Beijing vehemently
denied the accusations in that document, which contained photos of the
building that Mandiant said was the unit’s headquarters.

O’Murchu said Symantec believes Hidden Lynx is based in China because much
of the infrastructure used to run the attacks is there and because the
malicious software was written using Chinese tools and with Chinese code.

The Symantec report attributed several recent attacks to Hidden Lynx,
including a breach at cybersecurity firm Bit9 and follow-on attacks at
three Bit9 clients.

It also connects Hidden Lynx to a major campaign dubbed Voho, which was
discovered last year by EMC’s Corp’s RSA security company. Voho targeted
hundreds of organisations, including financial service, technology and
healthcare companies, defence contractors and government agencies.

Symantec’s report described the group as a “highly efficient team” capable
of running multiple operations at once and of targeting specific
organisations across a variety of industries. That profile suggests that
they were hired by clients seeking out very specific pieces of data, the
report said.

For example, the financial services sector was the most heavily affected
industry, representing about a quarter of targets since November 2011,
according to Symantec.

While Symantec would not identify particular victims within the financial
industry, it said they included companies with information on pending
merger and acquisition activity. Such information might prove valuable to
Hidden Lynx clients in negotiating takeovers or trading shares.

The victims did not include commercial banks, Symantec said.

Hidden Lynx’s arsenal of tools included Trojan Naid and Trojan Moudoor,
which siphoned data from infected computers.

Symantec, which sells software and services to protect corporate and
consumer computer systems from cyber attacks like the ones mentioned in the
report, said Naid was also used by hackers in Operation Aurora.

The Hidden Lynx hackers “were either responsible for the Aurora attack or
were working in conjunction with the Aurora attackers,” O’Murchu said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: