Threat Intelligence, Malware

“Hackers for hire” group Hidden Lynx on mission to collect corporate data

Researchers believe that a group of “hackers for hire” based out of China are linked to numerous high-profile attacks on U.S. companies, including those against Google and security firm Bit9.

On Tuesday, Symantec released findings that a network of sophisticated attackers, dubbed the “Hidden Lynx” group, has been active since at least 2009 and continues to target organizations in the U.S. and in many other countries.

Symantec estimated that between 50 to 100 individuals make up the Hidden Lynx group, as a number of campaigns are being actively carried out simultaneously. Since 2011, Hidden Lynx has targeted hundreds of organizations throughout the globe, with more than half, 52 percent, being in the U.S.

Because of the diverse array of entities infected by the group, whose mission seems to be to collect intellectual property and other corporate intelligence, Symantec came to the conclusion that Hidden Lynx is likely a professional group of hackers willing to provide their services for pay.  

Currently, Hidden Lynx primarily uses two backdoor trojans: Moudoor – a customized version of Gh0st RAT malware that the group used against a wide range of industries, including financial, government, health care and education sectors; and Naid, specially-crafted malware used to infiltrate entities in the defense sector.

According to a Tuesday blog post by Symantec, Naid is dispatched only on “elite” missions and “when failure is not an option.”

Symantec also determined that Hidden Lynx was operating out of China and consisted of two “teams,” named Naid and Moudoor, after the malware the saboteurs used. The malware share technical similarities with other trojans linked to China-based espionage campaigns, the firm found.

Symantec discovered that Naid was signed with a Bit9 certificate – revealing new details on the breach the company disclosed in February. That month, Bit9 said hackers had accessed its code-signing certificates, enabling attackers to digitally sign malware and distribute them to the firm's clients.

In addition, Symantec found that Naid was downloaded in the 2010 Aurora attacks, to which Google fell victim. The trojan was downloaded in stage three of the attack, after the Hydraq trojan infected victims' systems.

In their years of use, both Naid and Moudoor have leveraged exploits in Microsoft products, including Internet Explorer, and in Oracle's Java platform.

In a Tuesday interview with, Kevin Haley, director of security response at Symantec, said the  group is skilled and highly resourced given the fact they've been quick to “throw away” zero-days after details about the threats become public knowledge, unlike some hacker groups that continue to make use of vulnerabilities with available patches.

“The unique thing they do with zero-days is they are willing to throw them away once everybody knows about them,” Haley said. “Even when the patch comes out, there's still time before many users will patch. But for these guys, as soon as anybody knows about it, they stop using [the exploit]. And that shows how stealthy they are, because there's a potential of getting caught.”

Haley warned that watering hole attacks appear to be the attack vector of choice for Hidden Lynx hackers, meaning the group infects legitimate websites frequently visited by their targets.

He also advised that entities patch their software as soon as possible, and not underestimate their value to hackers looking for a way into organizations.

“A lot of companies assumed they wouldn't be targeted,” Haley said. “Ultimately, they might not want you, but they may want someone you do business with. If it ends up that one of your partner businesses has been attacked through you, that could be devastating for your business relationship with them,” Haley warned.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.