China-based hacking group behind hundreds of attacks on U.S. companies

Hidden Lynx hacking-for-hire group more sophisticated than others, including using malware targeting zero-day flaws, Symantec says

A group of between 50 and 100 professional hackers operating out of China has been systematically targeting businesses, military and government agencies around the world since at least 2009, security vendor Symantec said in a report released on Tuesday.

The group, called Hidden Lynx, is believed connected to the Operation Aurora espionage campaign of 2010 in which dozens of major companies, including Google and Microsoft, were targeted.

More recently, Hidden Lynx was associated with an attack on security vendor Bit9 earlier this year, and also with numerous "watering hole" attacks against hundreds of organizations in the United States.

The group has a long history of attacking organizations in the defense industrial base, financial services sector, education, government, supply chain and the engineering sector, Symantec noted in its report. More than half of the attacks have been against U.S.-based companies, but the group has been going after targets in other countries as well.

What makes Hidden Lynx notable is its access to a seeming arsenal of sophisticated malware tools that includes zero-day vulnerabilities, said Kevin Haley, director of Symantec Security Response.

The tools include one named Trojan.Naid, which the group apparently reserves for use against high-value targets such as those in Operation Aurora. Another, dubbed Backdoor Moudoor, is used for more general-purpose hacking campaigns.

Haley said members of Hidden Lynx appear loosely organized into two teams: an A-team, comprising a relatively small number of elite hackers with access to sophisticated tools like Trojan Naid; and a B-team, which appears comprised mainly of foot soldiers responsible for carrying out large attacks using Backdoor Moudoor and similar tools.

The elite hackers are usually deployed for special operations involving a high-degree of skill and secrecy, Haley noted. Often, this group appears to have advanced knowledge of, and access to, information on fresh zero-day vulnerabilities, Haley said.

The Symantec paper pointed to one incident earlier this year where the Hidden Lynx group used advance knowledge of a zero-day Oracle vulnerability to attack targets in Japan.

One of the more remarkable aspects of the group is its apparent problem solving skills, Haley noted. In situations where members of Hidden Lynx have been unable to penetrate a target directly, they have looked for other ways to compromise them by looking for and exploiting vulnerable suppliers, partners and service providers.

As an example, he pointed to the attack on Bit9 earlier this year in which Hidden Lynx managed to gain access to Bit9's digital code-signing infrastructure. The hacking group used it to sign a total of 32 Trojans and malicious scripts, which it then used to try and infiltrate companies, including a major defense contractor, using Bit9's security services.

Most of the attack infrastructure and tools used in attacks by Hidden Lynx appear to be hosted China. According to Haley, there is not much evidence to suggest that Hidden Lynx is state sponsored. In fact, at least some of the hacking group's victims appear to be based in China.

Rather, members of Hidden Lynx tend to be more hackers-for-hire. The broad range of information and companies they have targeted in the past suggest that the group simply executes tasks on behalf of paying clients. "They are likely tasked with obtaining very specific information that could be used to gain competitive advantages at both a corporate and nation state level," the Symantec report said.

Hidden Lynx itself is unlikely to be using any of the information it steals, Symantec said. "Their mode of operation would suggest that they may be a private organization of 'hackers for hire', who are highly skilled, experienced professionals whose services are available for those willing to pay."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingsymantecGoogleMicrosoftsecurityBit9Malware and Vulnerabilities

More about GoogleLynx CorporationMicrosoftOracleSymantecTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place