Hidden Lynx - Professional Hackers for Hire
Peter Schjøtt, Symantec Denmark
Symantec Security Response

1
Who is the Hidden Lynx group?
• “Hackers for Hire” established < 2009
• Based in China
• Highly customize tools & access t...
Characteristics of Hidden Lynx

Diverse range of targets
Well resourced
50-100 people

Can penetrate
tough targets

Concur...
The Two Sides of Hidden Lynx
Same organization but different teams…

Team Naid

Team Moudoor

Elite, Precise, Surgical
Use...
Motivations
NAID

MOUDOOR

Government espionage

Corporate espionage

• Government &
contractors, especially in the
defens...
Who’s Targeted – Verticals

Hundreds of
targets

Symantec Security Response

Dozens of
campaigns

Direct/Indirect
attacks
...
Who’s Targeted – Top 10 Countries
52.7% USA
15.5% Taiwan
9% China
4% Hong Kong
3% Japan
2.4% Canada
2.2% Germany
1.7% Russ...
Tools, Tactics and Procedures
• Custom Trojans
• Early adopters of watering hole techniques (VOHO)
• Spear-phishing
• Supp...
The Bit9 Attack
• A branch of the VOHO campaign
• Bit9 offers a trust-based security platform
– Everything signed by Bit9 ...
The VOHO Campaign – A Recap
• Large watering hole attack on ten strategic websites
• A two-phased attack with C&C logs sho...
Vital Links
Clues that link the campaigns of group Hidden Lynx
together:

• Consistent use of the same two customized Troj...
Hidden Lynx, conclusion
• Active since 2009 with many attack campaigns
• Highly motivated, skilled and efficient

• Used t...
Corporate espionage – closer to home

”Amerikanerne spionerer mod os, også
handels- og industrimæssigt, ligesom vi
spioner...
Last words…
• The described ”Hidden Lynx” group not the only ”Hackers for
hire” – although one of the most skilled and pro...
How to get more information
Blog
http://www.symantec.com/connect/symantec-blogs/sr
Twitter
http://twitter.com/threatintel
...
Thank you!

Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or r...
Upcoming SlideShare
Loading in …5
×

Insight live om It-sikkerhed- Peter Schjøtt

92
-1

Published on

Version2 Insight live bød i okt. 2013 velkommen til en debat om IT-sikkerhed.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
92
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • gain access to information from organizations operating in the defense-industrial base
  • Infodev: Maybeaddas bar chartinsteadofpieAgain Elderwood shows the variety of organisations attacked. 2 tiers of organisations targeted. Those targeted by watering hole attacks are not the primary targets. They’re used stepping stones to infiltrate the primary targets. Dozens of campaigns since Nov 2011 100’s of organizations affected Predominantly private and governmental organizations Finance and Technology All levels of Government Some targets are secondary targets,leveraged to meet the primary objective Bit9 Incident Supply Chain attacks
  • Watering hole attack (VOHO)
  • Bit9 is a security company headquartered in Waltham Massachusetts. As an alternative to traditional anti-virus solutions, Bit9 offers a trust based security platform. They use cloud based reputation, policy driven application controls and whitelisting to protect against cyber threats.
  • Cyber espionage campaigns are becoming increasingly common, with countless threat actors attempting to gain footholds into some of the best protected organizations. These attacks are becoming increasingly sophisticated. The capabilities and tactics used by these threat actors vary considerably. From focuses attacks against niche targets to large scale campaigns targeting multiple organization’s on a global scale. Red Manis is capable of both and operates at the forefront in terms of tactics and techniques used. They have attacking prolifically since 2009, and repeatedly attack their targets with cutting edge techniques. They quick adapt to security counter measures and are highly motivated. They are one of the most well-resourced and capable attack groups in the targeted threat landscape. It’s clear this is the work of a professional organization. They operate in a highly efficient manner. They are capable of attacking on multiple fronts. They use the latest technique, a diverse set of exploits and have highly customized tools to compromise target networks. The attack with such precision on a regular basis over long periods of time would require a sizeable organization which is well resourced. They possess expertise in many areas, with teams of highly skilled individuals who can quick adapt to the changing landscape. This team could easily consist of 50-100 individuals. To build these Trojans, maintain infection and C2 infrastructure and pursue confidential information on multiple network concurrently would easily require this degree of manpower. They are highly skilled and experienced campaigners in pursuit of information of value to both private and governmental organizations. The incident in Bit9, which lead to successful compromises during the VOHO campaign, only serves to highlight this fact. The evolving targeted attack landscape is becoming increasingly sophisticated. As organizations implement security counter-measures, the attackers are adapting. They are adapting at a rapid rate. With an ever increasing number of threat actors participating in these campaigns, organizations have to understand that sophisticated attackers are working hard to bypass each layers of security. It’s no longer safe to say that any one solution will protect a company’s assets. A variety of solutions need to be combined and with a better understanding of the adversary, tailored to adequately protect the information of most interest to the attackers. Their mission is large and Red Manis is targeting a diverse set of information. The frequency and diversity of these attacks would indicate that the group is tasked with sourcing information from many organizations. These tasks are likely distributed within the team. The goal of Red Manis is to gain access to information at organization in some of the wealthiest and most technologically advanced countries across the globe. It is unlikely Red Manis are capable of using this information for direct financial gain, and the diversity of the information and number of distinguishable campaigns would suggest they receive tasks from multiple sources. This leads us to believe this is a professional organization that offers a “Hackers for Hire” service.  This group is actively attacking on multiple fronts, and other actors are adopting their techniques. The attackers are continuing to sophisticate and streamline their operations. Organizations that are being attacked on multiple fronts need to better protect the information that is most valuable to them. We expect Red Manis to be involved in many more high profile campaign in the coming years. They will continue to adapt. They will continue to innovate. They will continue to provide information servicing interests at both a corporate and state level. Groups like Red Manis are certainly winning some of the battles, but as organizations gain a better understanding of how these groups operate, they can prevent there most valuable information falling into their hands.
  • Insight live om It-sikkerhed- Peter Schjøtt

    1. 1. Hidden Lynx - Professional Hackers for Hire Peter Schjøtt, Symantec Denmark Symantec Security Response 1
    2. 2. Who is the Hidden Lynx group? • “Hackers for Hire” established < 2009 • Based in China • Highly customize tools & access to 0-day exploits • Pioneered large scale “Watering Hole” attacks (AKA the VOHO Campaign) TOOLS • More capable than Comment Crew/APT1 • Proficient, Innovative, Methodical Symantec Security Response 2
    3. 3. Characteristics of Hidden Lynx Diverse range of targets Well resourced 50-100 people Can penetrate tough targets Concurrent campaigns Symantec Security Response 3
    4. 4. The Two Sides of Hidden Lynx Same organization but different teams… Team Naid Team Moudoor Elite, Precise, Surgical Uses: Trojan.Naid Scope: Special operations (small team) Targets: Information of national interest Examples: Bit9 attack, Operation Aurora Skilled, Prolific, Indiscriminant Uses: Backdoor.Moudoor (custom “Gh0st RAT”) Scope: Wide scope attacks (large team) Targets: Financial sector, all levels of government, healthcare, education and legal Symantec Security Response 4
    5. 5. Motivations NAID MOUDOOR Government espionage Corporate espionage • Government & contractors, especially in the defense industry • Seeking access to confidential information of significant interest to nation states • Investment banks, asset management & law firms • Stock markets/brokers • Insider information on mergers & acquisitions • Financially motivated, corporate advancement, access to trade secrets Symantec Security Response 5
    6. 6. Who’s Targeted – Verticals Hundreds of targets Symantec Security Response Dozens of campaigns Direct/Indirect attacks 6
    7. 7. Who’s Targeted – Top 10 Countries 52.7% USA 15.5% Taiwan 9% China 4% Hong Kong 3% Japan 2.4% Canada 2.2% Germany 1.7% Russian Federation 1.5% Australia 1.5% Republic of Korea Symantec Security Response 7
    8. 8. Tools, Tactics and Procedures • Custom Trojans • Early adopters of watering hole techniques (VOHO) • Spear-phishing • Supply chain attacks – Trojanizing driver files in the supply chain to infiltrate final targets • 0-day and known exploits – Since 2011, 5 exploits including 3 0-day exploits – Including gaining early access to exploit details (Oracle Java CVE-2013-1493) • Adaptable and resourceful – Stole Bit9 signing certificate to bypass their trust protection model • Tell-tale characteristics of a professional and skilled group Symantec Security Response 8
    9. 9. The Bit9 Attack • A branch of the VOHO campaign • Bit9 offers a trust-based security platform – Everything signed by Bit9 is trusted and allowed to run • Initial incursion – SQL injection on Bit9 server (July 2012) – Installed Backdoor.Hikit as a beach head • Bit9’s code-signing certificate was compromised – Used to sign 32 malicious binaries, including Trojan.Naid – Files used in subsequent attacks against United States defense industry Symantec Security Response 9
    10. 10. The VOHO Campaign – A Recap • Large watering hole attack on ten strategic websites • A two-phased attack with C&C logs showing 4000+ infections • Started on June 25 and finished July 18, 2012 • Exploits – IE zero-day (CVE-2012-1889) – Oracle Java (CVE-2012-1723) • Once the zero-day vulnerability got patched, activities temporarily halted to avoid drawing attention • Malware – Backdoor.Moudoor & Trojan.Naid Symantec Security Response 10
    11. 11. Vital Links Clues that link the campaigns of group Hidden Lynx together: • Consistent use of the same two customized Trojans – Backdoor.Moudoor – Trojan.Naid • Use of same C&C server over multiple campaigns • Use of same infected websites for distribution of NAID or MOUDOOR, depending on victim • Repeated attacks on same set of target organizations – In particular, finance, government, and IT/ICT organizations Symantec Security Response 12
    12. 12. Hidden Lynx, conclusion • Active since 2009 with many attack campaigns • Highly motivated, skilled and efficient • Used three zero-day vulnerabilities since 2011 • Many different targets, therefore most likely a “Hackers for Hire” service • Majority of attacks originated through watering hole techniques, but spear phishing & supply chain hacks have also been used • Usually seeking intellectual property • Anybody who supplies a targeted organization is a potential victim including IT/ICT, financial and legal service, and manufacturing organizations Symantec Security Response 14
    13. 13. Corporate espionage – closer to home ”Amerikanerne spionerer mod os, også handels- og industrimæssigt, ligesom vi spionerer mod dem. Det er i vor nationale interesse at forsvare erhvervslivet.” Bernard Squarcini, fhv. chef for Frankrigs efterretningstjeneste ”Vi har altid været klar over, at Citat fra Børsen, 25. oktober efterretningstjenesterne og 2013 erhvervslivet i USA arbejder tæt sammen” Markus Stäidinger, tysk IT-sikkerhedsekspert Citat fra Børsen, 30. oktober 2013 Corporate espionage, closer to home 15
    14. 14. Last words… • The described ”Hidden Lynx” group not the only ”Hackers for hire” – although one of the most skilled and professional • Hacker(s) for Hire – many exists • Hacker(s) for hire a threat to your business • Threat does not disappear -> should you adjust your Risk Assessment? Hackers for hire – last words 16
    15. 15. How to get more information Blog http://www.symantec.com/connect/symantec-blogs/sr Twitter http://twitter.com/threatintel Whitepapers http://www.symantec.com/security_response/whitepaper s.jsp Symantec Security Response 17
    16. 16. Thank you! Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Symantec Security Response 18
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×