Symantec researchers Stephen Doherty, Jozsef Gegeny, Branko Spasojevic, Jonell Baltazar reported uncovering evidence linking the group to China after examining forensic evidence of a recent attack on security firm Bit9 in the company's Hidden Lynx: Professional Hackers for Hire threat report. "Much of the attack infrastructure and tools used during these campaigns originate from network infrastructure in China," said the report.
The Symantec researchers added that forensic analysis of the group indicates the group boasts at least 50 skilled members capable of creating advanced, dangerous attacks and has been operating since at least 2009.
"They have the capability to attack many organizations with concurrently running campaigns. They operate efficiently and move quickly and methodically. Based on these factors, the Hidden Lynx group would need to be a sizeable organisation made up of between 50 and 100 individuals," read the report.
"The Hidden Lynx group makes regular use of zero-day exploits and has the ability to rework and customise exploits quickly. They are methodical in their approach and they display a skillset far in advance of some other attack groups also operating in that region."
The researchers highlighted the group's track record in creating and mounting sophisticated watering hole and spear-phishing attacks on Bit9 customers and involvement in the Voho hacking campaign as proof of its capabilities. "The group's tools, tactics and procedures are innovative and typically cutting edge. They use custom tools and techniques that they tailor to meet their objectives and maximise their chance of success," said the report.
The Voho campaign was originally discovered by the security firm RSA in 2012. It saw the group target hundreds of companies in numerous industries including technology, banking, healthcare, defence as well as numerous and government agencies.
Symantec said despite tracking the group to China it is unclear what, if any, links they have to the country's government and current evidence suggests they are little more than cyber mercenaries for hire.
"This broad range of targeted information would indicate that the attackers are part of a professional organisation. They are likely tasked with obtaining very specific information that could be used to gain competitive advantages at both a corporate and nation state level," read the report.
"It is unlikely that this organisation engages in processing or using the stolen information for direct financial gain. Their mode of operation would suggest that they may be a private organisation of ‘hackers for hire', who are highly skilled, experienced professionals whose services are available for those willing to pay.
Symantec is the latest in a long sea of security firms to link hacking groups to China. Security firm Mandiant reported linking the Comment Crew team to a Chinese military unit based in Shanghai's Pudong district. The group is believed to have mounted attacks on over 141 companies. The Chinese government has consistently denied any involvement in the attacks, arguing cybercrime is an international problem.
No comments:
Post a Comment