Hidden Lynx is the name given by experts to a state-sponsored cybercriminal group that’s apparently even more dangerous than the APT1 group, the one that’s said to be responsible for numerous high-profile attacks, including the one against The New York Times.Symantec has been monitoring the activities of Hidden Lynx for quite some time. Researchers say the cybercriminals are apparently based in China.
They are highly organized, patient and agile. They’re said to be the pioneers of watering hole attacks, and they have early access to zero-day exploits.
The cybercriminal organization is said to be comprised of 50-100 members split into two main teams: Moudoor and Naid.
Team Moudoor uses disposable tools and basic techniques to attack their targets. One of their purposes is collecting intelligence. Their name stems from the backdoor Trojan they’re using.
Naid is the “special operations team.” They’re specialized in attacking the more valuable and tougher targets. Their name is also based on the Trojan they’re utilizing in their campaigns.
Unlike the Moudoor Trojan, the Naid malware is used only on special occasions to make sure the threat is not detected and captured.
At least six major campaigns have been launched by the group since 2011 against industry sectors such as ICT, aerospace/defense, financial services, energy, marketing and government.
Usually, multiple organizations are targeted over a sustained period of time in each campaign.
As far as the location of the targets is concerned, most of them (52%) are in the US, followed by Taiwan (15.5%), China (9%), Hong Kong (4%) and Japan (3%). Organizations from Canada, Germany, Russia, Australia and South Korea have also been attacked.
One of the most important organizations targeted by Hidden Lynx is the IT security firm Bit9. Bit9 was hacked in mid-2012.
Symantec has published a white paper on Hidden Lynx.