14 DAY TRIAL // A group of security vendors joined forces to combat malware used by a group of hackers linked to various cyber-espionage campaigns for at least four years.
The adversary is a China-based team of hackers believed to consist of up to 100 operatives that seem to engage in on-demand attacks.
They are referred to by Symantec as “Hidden Lynx,” and security researchers say they are well-resourced and that they are one of the first groups to use the “watering hole” attack method to spread malicious software to their targets.
Big names from the security industry work together
This is the first initiative of this kind against an APT (advanced persistent threat) group, and it included intelligence from Cisco, FireEye, F-Secure, iSIGHT Partners, Microsoft, Tenable, ThreatConnect, ThreatTrack Security, Volexity, Novetta, and Symantec.
Dubbed Operation SMN, the action was coordinated by Novetta, a company offering advanced analytics technology solutions, under Microsoft’s Coordinated Malware Eradication program.
Worth noting is that all the members of the coalition are from the private sector and most of them are competitors for customers; however, they agreed to share intelligence about the malicious tools used by Hidden Lynx to infiltrate organizations.
As such, this initiative is a step forward from individual threat reporting and towards a centralized system to identify threat actors involved in espionage campaigns.
APT group relies on multiple tools and techniques to achieve their goal
Hidden Lynx’s main goal seems to be maintaining a foothold into the network of the target, looking for ways to infiltrate deeper without triggering detection mechanisms.
According to Novetta, the targets range from large public network infrastructure providers to holders of extensive IP portfolios, and government entities from various countries in Asia and the United States.
Researchers observed that apart from malicious software, Hidden Lynx often resorts to compromising the security of the supply chain for the targeted organization in order to work their way into the network.
Novetta refers to the threat actors by the name “Axiom,” and says that they rely on “compromised mid-point infrastructure within Korea, Taiwan, Japan, Hong Kong and the United States to conduct exploitation operations.”
The threat group is capable of gaining privilege escalation, moving laterally on the network, and using custom backdoors.
During Operation SMN, the group has been observed to target and exploit human resource management agencies, individuals in law enforcement organizations, media agencies in the US, Europe and Japan, international law firms, and a Ministry of Finance. All these have been targeted since September 2013.
A comprehensive report regarding the activities of Operation SMN is scheduled to be released towards the end of the month, on October 28.