A 28-page report released by the Silicon Valley-based security firm this week accuses the group “Hidden Lynx” with an array of high-profile hacks that have targeted major technology companies and government contractors alike since at least 2009.
Symantec has blamed the group for Operation Aurora, a 2009 cyber-attack that set its sights on dozens of victims, including Yahoo, Northrup Grumman, Dow Chemical and even Symantec itself. Google was the first company to break news of the attack early the next year and admitted that the hackers attempted to breach Gmail and read communications between human rights activists.
According to Symantec, the group involved in the exploits consists of 50 to 100 professional “hackers for hire,” and is among the most advanced troops of its kind.
“This group has a hunger and drive that surpass other well-known groups,” Symantec acknowledged in a blog post published on Tuesday, and characterized the unit as demonstrating vast technical prowess, agility, organization, patience and “sheer resourcefulness.”
“These attributes are shown by the relentless campaigns waged against multiple concurrent targets over a sustained period of time,” Symantec said.
But whereas other recent reports identified other powerful Chinese hacking groups tied to the country’s government, Symantec failed to directly accuse the computer pros as being state agents.
“Given the breadth and number of targets and regions involved, we infer that this group is most likely a professional hacker-for-hire operation that are contracted by clients to provide information,” Symantec said. “They steal on demand, whatever their clients are interested in, hence the wide variety and range of targets.”
Among those targets is Bit9, the self-proclaimed “leader in a new generation of endpoint and server security based on real-time visibility and malware protection.” The United States government is just one of the clients of Bit9, a firm that analyzes software to make sure it’s secure enough to run on certain systems. It was breached in June 2012 by a group now identified by Symantec as Hidden Lynx.
“Since November 2011, hundreds of organizations worldwide have been targeted” by the group, Symantec said in the report. More than half of those targets are US-based, and around a quarter are linked to the financial sector.
“There is almost certainly a financial motivation behind these attacks,” Symantec said, accusing Hidden Lynx of mass corporate espionage as well as attacks against nation-states and governmental contractors alike.
Speaking to Reuters, the chief technologist at competing security firm CrowdStrike said he thinks the group has worked solely for the Chinese government and state-owned enterprises, despite Symantec’s falling short of make such accusations.
“Whether they are formally a military unit or a defense contractor, that is unknown,” CrowdStrike’s Dmitri Alperovitch told the newswire.
Weighing in with the Wall Street Journal, Alperovitch added, “There is no question they’re working on behalf of the Chinese government.”
Earlier this year, Virginia-based security firm Mandiant released a report accusing a group directly tied to the Chinese government with comprising the systems of over 140 companies, including many US-based corporations, such as Coca-Cola.
Comparing Hidden Lynx with other Chinese hacking firms, Symantec’s Samir Kapuria, the company’s vice president of business strategy and secure intelligence, told ABC News, “These guys are a lot more precise and surgical.”
“The tactics and tools that they employ are things that they like to keep hidden… This is when there’s a specific mission in mind: ‘How do we infiltrate the supply chain of our ultimate target? How do we tailor some specific attack that allows us to go under the radar?'” he said.
In the official report, embedded below, Symantec said the group is highly organized and “can gain advanced access to zero-day vulnerabilities.” RT reported earlier this week that the US’ National Security Agency entered a contract last year with a French hacking firm named Vupen that sells subscriptions to a service that provides clients, including major governments, with details about these vulnerabilities, named as such because manufacturers have no time to patch up security flaws.
“Major software vendors such as Microsoft and Adobe usually take 6 to 9 months to release a security patch for a critical vulnerability affecting their products, and this long delay between the discovery of a vulnerability and the release of a patch creates a window of exposure during which criminals can rediscover a previously reported but unpatched vulnerability, and target any organization running the vulnerable software,” Vupen acknowledged on its website.