UPDATE 2-Hacker group in China linked to big cyber attacks -Symantec

Tue Sep 17, 2013 6:33pm EDT

* Symantec says Hidden Lynx very likely based in China
    * Says it is not sure if group is linked to government
    * Says may be linked to well-known 2009 Operation Aurora


    By Jim Finkle
    BOSTON, Sept 17 (Reuters) - Researchers have discovered a
group of highly sophisticated hackers operating for hire out of
China, a U.S computer security company said on Tuesday, and it
linked them to some of the best-known espionage attacks in
recent years.
    Symantec Corp said the group, which it dubbed
"Hidden Lynx," was among the most technically advanced of
several dozen believed to be running cyber espionage operations
out of China. Unlike a previous report by another company,
Symantec did not accuse the Chinese government of involvement in
the cyber attacks.
    Symantec's 28-page report described Hidden Lynx as a
"professional organization" staffed by between 50 and 100 people
with a variety of skills needed to breach networks and steal
information, including valuable corporate secrets.
    The company said its researchers believed Hidden Lynx might
have been involved with the 2009 Operation Aurora attacks, the
most well-known cyber espionage campaign uncovered to date
against U.S. companies.
    In Operation Aurora, hackers attacked Google Inc,
Adobe Systems Inc and dozens of other companies. Google
in January 2010 disclosed the attacks, in which hackers tried to
read Gmail communications of human rights activists and to
access and change source code at targeted companies.
    Dmitri Alperovitch, the researcher who named Operation
Aurora in February 2010 when he was the first to uncover key
details about the attacks, said he believed that Symantec's
conclusions were generally accurate.
    Alperovitch, who is chief technology officer at the cyber
security firm CrowdStrike, said his company has also linked
Operation Aurora to other attacks by the same group including a
high-profile breach at EMC Corp's RSA security company
in 2011. CrowdStrike has not publicly shared details about the
group, which it calls Aurora Panda, because the firm makes money
by selling proprietary research to clients, he said.
    Symantec researcher Liam O'Murchu said his company could not
determine which individuals were behind Hidden Lynx or if it was
linked to the Chinese government. 
    Alperovitch said, however, that CrowdStrike believes the
group works solely for the Chinese government and state-owned
enterprises. "Whether they are formally a military unit or a
defense contractor, that is unknown," he added.
    A separate study released in February from Mandiant, another
firm that closely follows Chinese hackers, said a secret unit of
the Chinese military was engaged in cyber espionage on American
companies. Beijing vehemently denied the accusations in that
document, which contained photos of the building that Mandiant
said was the unit's headquarters. ()
    O'Murchu said Symantec believes Hidden Lynx is based in
China because much of the infrastructure used to run the attacks
is there and because the malicious software was written using
Chinese tools and with Chinese code.
    The Symantec report attributed several recent attacks to
Hidden Lynx, including a breach at cybersecurity firm Bit9 and
follow-on attacks at three Bit9 clients. ()
 
    It also connects Hidden Lynx to a major campaign dubbed
Voho, which was discovered last year by EMC's Corp's RSA
security company. Voho targeted hundreds of organizations,
including financial service, technology and healthcare
companies, defense contractors and government agencies.
   
    
    FINANCE TARGETED
    Symantec's report described the group as a "highly efficient
team" capable of running multiple operations at once and of
targeting specific organizations across a variety of industries.
That profile suggests that they were hired by clients seeking
out very specific pieces of data, the report said.
    For example, the financial services sector was the most
heavily affected industry, representing about a quarter of
targets since November 2011, according to Symantec. 
    While Symantec would not identify particular victims within
the financial industry, it said they included companies with
information on pending merger and acquisition activity. Such
information might prove valuable to Hidden Lynx clients in
negotiating takeovers or trading shares.
    The victims did not include commercial banks, Symantec said.
    Hidden Lynx's arsenal of tools included Trojan Naid and
Trojan Moudoor, which siphoned data from infected computers. 
    Symantec, which sells software and services to protect
corporate and consumer computer systems from cyber attacks like
the ones mentioned in the report, said Naid was also used by
hackers in Operation Aurora.
    The Hidden Lynx hackers "were either responsible for the
Aurora attack or were working in conjunction with the Aurora
attackers," O'Murchu said.