The emergence of attackers-for-hire is a troubling trend in cybercrime, and one particular group is changing its techniques to gain access to computer systems, says Symantec researcher Kevin Haley.
A China-based group known as Hidden Lynx is a well-funded network of cyber-attackers that's leasing its services for targeted campaigns, says Haley, director of Symantec's security response team. The group has been responsible for five attacks in the last two and a half years, Haley says
Symantec learned that Hidden Lynx was involved in Operation Aurora in 2009, which targeted Google and 30 other businesses. "We discovered that this group was involved in that because one of their pieces of malware was actually used in that attack," Haley says in an interview with Information Security Media Group [transcript below].
"What we see is an evolution," he says. "We're seeing a higher volume of attacks being launched and managed; we're seeing an increase in the sophistication of what they're doing; and we've actually seen new attack techniques developed by this team."
For four years, Haley and his team have been closely tracking the activities of these attackers-for-hire.
During this interview, Haley:
- Describes how Hidden Lynx' attacks have evolved;
- Explains that the group focuses on cyber-espionage designed to steal information, rather than distributed-denial-of-service attacks; and
- Outlines steps organizations should take to enhance their cyberdefenses in light of the attackers-for-hire trend.
Haley is responsible for Symantec's global intelligence network, where he educates consumers and customers about security issues. During his 13 years at company, Haley has helped develop its anti-virus solutions for endpoints and mail servers and create network and system management solutions. Earlier, he worked on software distribution tools at Hewlett-Packard and was a product manager at Sun Microsystems.
TRACY KITTEN: What can you tell us about the group Hidden Lynx and who's behind it?
KEVIN HALEY: It's a highly sophisticated group of hackers who have been around for some time now and launched numerous campaigns against numerous industries. It's really this broad reach that they have, the number of different types of organizations that they've attacked, that makes us believe that they're a hacker-for-hire type of organization.
KITTEN: How long have you been tracking this group, and what have you learned about its origins?
HALEY: We've been tracking this group since 2009. It's just that back in 2009 we weren't aware of the scope of what this group was involved in. In the last several years, we've been really able to start putting all the pieces together to understand that multiple attacks are all the responsibility from this group. That led up to the research that we just published.
KITTEN: Which industries have been targeted so far and over what period of time?
HALEY: Over the last several years, a whole host of industries have been targeted. About a quarter to 30 percent of those attacks were against the financial or investment industry and another 25 percent against government. But we've also seen attacks against healthcare, engineering, education, legal, retail, pharmaceutical, food and the defense industry.
KITTEN: One thing that I found fascinating is the fact that Symantec believes that Hidden Lynx actually comprises two separate teams. Why do you think that two separate teams are actually involved in this group?
HALEY: It looks like there's actually an A and a B team. The B team is called in to do general types of attacks, and we see one particular piece of malware and a way of operating that's very prevalent and involved in a lot of these attacks. But there's another group within Hidden Lynx that appears only to be called out for the very hard jobs. They have more stealth malware and they're attacking very specific targets that are the hardest ones to get in.
KITTEN: Beyond the fact that you have one group that's brought in when the attacks are a little bit more sophisticated or difficult, do the teams have different focuses?
HALEY: They have different malware; that's definitely the case. The A team [uses] malware that is more stealth. They don't use it as often. For instance, they'll use it with a zero-day vulnerability, a vulnerability nobody else knows about, so that will help them get onto a computer. But as soon as everybody knows about this vulnerability, they stop using it. That's an example of something they're doing to try to stay hidden and stay stealth. When the other team uses their piece of malware, they'll use it everywhere. If people become aware of it, that's fine; they'll just continue.
The A team also is very focused on the defense industry, and those are some of the hardest companies to break into. They know they're under attack; they take great precautions. That's where this surgical strike team gets involved. The B team, Team Moudoor, which is what their malware is called, they're after the financial sector, government and healthcare. They're in all those industries and a lot of different attacks are going on at the same time.
KITTEN: Are these teams based in different parts of the world?
HALEY: We've identified that this group is operating out of China, and that's because the infrastructure that's involved, the backend infrastructure that we've discovered that both these teams are using, is in China. Where they actually wake up and go to work in the morning, we can't tell you. But we know that since their infrastructure is based in China, most likely they're located there.
Other Hacker-for-Hire Groups
KITTEN: Are there other groups out there that resemble Hidden Lynx? How unique is this group in its attacks?
HALEY: There certainly are a number of other attackers that are capable of these types of targeted attacks that this group is running. What sets them [Hidden Lynx A team] apart and what really makes them unique is the ... surgical strikes that they're able to pull off. They have stolen digital certificates in order to sign their malware to make it look like they're good files. They've infiltrated supply chains to get onto hardware so that their malware was planted on hardware that was going into their ultimate target environment as a way to get in there. They seem to be really out-of-the-box thinkers who, when there's a really tough problem, come in to solve it. That's what makes them unique and makes them really stand out from the other attack groups that are out there.
Use of Trojans
KITTEN: Tell us a bit about the Trojans that are used in these attacks. What do these Trojans reveal to us about the sophistication of this group?
HALEY: It's interesting because the B team, Team Moudoor, is based on an existing remote access tool that's very common among the hacker community that's called Ghost Rat. Think of it as an off-the-shelf hacking tool they have converted for their own uses.
The A team itself has written their own piece of malware, and, as I said, it's only used in very special operations. They've managed to get it digitally signed in order to further hide it, although now that we know about that method, that doesn't work anymore. But it was very successful for them for a time. They attack just a small number of sites, as I said, in order to keep themselves very stealth.
KITTEN: You mentioned earlier that you've been tracking this group since 2009. How has the group and/or its attacks evolved?
HALEY: In 2009 there was an attack called Aurora or Hydraq; it goes by a couple different names. This attack was one of the first broadly publicized attacks by groups involved in cyber-espionage, and several U.S. companies had been broken into in attempts to steal their intellectual property. That did gain a lot of notoriety. As we started to do our research, we discovered that this group was involved in that because one of their pieces of malware was actually used in that attack. ... We're seeing a higher volume of attacks being launched and managed; we're seeing an increase in the sophistication of what they're doing; and we've actually seen new attack techniques developed by this team.
Most targeted attacks start with an e-mail that's sent to the victim trying to fool them into clicking on a link or an attachment to infect themselves. This group perfected a technique where they would lie and wait on a website that they knew their victims went to. When their victims went to the website, they would then infect them through the browser when they went to that website. This is called a watering-hole attack and they started doing this in 2011. It, too, is very innovative in its approach.
Link to DDoS Attacks?
KITTEN: Do you think that this group is at all linked to the DDoS attacks that have been waged against U.S. banking institutions for the last year?
HALEY: No. The only type of attacks that we've seen in this group is where they're off to steal information - cyber-espionage, if you will. A DDoS attack would take a server down or cause difficulties in reaching a web server. That's not their style. They're actually looking to get on that server to steal information, not to bring it down.
KITTEN: Are there other groups out there that are attacking for hire?
HALEY: There certainly are. There are groups that are certainly connected with nation-states, whether loosely or part of their structure, for lack of a better word. There are certainly groups that are in this who are doing it just to make money, those more criminal in intent than stealing information, just trying to steal money straight out like some of these attacks against banks.
There are other people that are profiting by providing services. We see people who provide bots for services, who provide command-and-control systems, who will sell you the exploit to use to get on a computer. Very common in the cybercrime area is, "I will write malware but I will pay other people to get it onto machines." It's a pay-per-install model where I'll write the malware and, every time you get it on another computer for me, I'll pay you a certain amount of money.
KITTEN: Would you say that these attacks that are waged by this particular group are linked to any other attacks?
HALEY: We believe this group is responsible for a number of attacks. We've easily traced them back to five different attacks over the last two and a half years, and we know they're even operating now. We see them continuing to target and attack companies.
Key Takeaways for Industry
KITTEN: What would you say are the key takeaways for the banking industry, government and other sectors?
HALEY: Clearly, the banking industry knows this, but many sectors don't really understand that they're a target for attack. Many companies and organizations think that's something that happens to other people, and I think that this group and others out there have shown quite clearly that's not the case. It's something we all need to be concerned about.
You need to do your basic security best practices. It's unfortunate, but in this day and age, many companies aren't even doing the basics. You need to have good, layered security; you need to keep up with all the patches for vulnerabilities in the software that you run; and you need to have a very good layered defense that's not only on your desktop but on your mail server and your gateway in order to protect yourself.