A major security firm has identified what it called an alleged mercenary hacking group based in China that employs a special operations-like cyber squad to attack high-value targets.
The group, dubbed Hidden Lynx after a string of code it uses, has been around for at least four years and was behind attacks on “hundreds of organizations worldwide,” from targets in the financial sector, to government and, to a lesser extent, the defense industry, according to a report released Tuesday by the California-based cyber security company Symantec. The group has hit targets in 15 countries since November 2011, Symantec said, though more than half the attacks strike at computers in the U.S.
The paper describes Hidden Lynx as being made of up to 100 people split into two teams – one team dedicated to sweeping, large-scale campaigns that Symantec’s Samir Kapuria described as going after “targets of chance,” and another far more sophisticated team that only attacks “targets of choice.”
“These guys are a lot more precise and surgical,” Kapuria, Symantec’s Vice President of Business Strategy and Security Intelligence, told ABC News today. “The tactics and tools that they employ are things that they like to keep hidden… This is when there’s a specific mission in mind: ‘How do we infiltrate the supply chain of our ultimate target? How do we tailor some specific attack that allows us to go under the radar?’”
Kapuria said his company believes the group to be based in China because some of the applications used by the hackers are Chinese, some of the code they’ve developed is written in Chinese and because Symantec was able to geo-locate the “command and control” servers that direct the attacks to computers in China.
But unlike the previously revealed case of China’s Unit 61398, Kapuria said it doesn’t appear this group is working directly for the Chinese government or any nation-state. Symantec came at that conclusion based on the targets selected by Hidden Lynx. Though some pilfered information, especially from the financial and defense sectors, would be valuable to a nation-state, Kampuria said the sheer breadth and geographic spread of the attacks and the potential value of the information allegedly stolen suggest a mercenary role.
As the Symantec report put it, “It is unlikely that they can use this information for direct financial gain, and the diversity of the information and number of distinguishable campaigns would suggest that they are contracted by multiple clients.” Kapuria said he could not rule out a nation-state acting as a client, however.
However, Dmitri Alperovitch, an expert from the cyber security firm Crowdstrike, told ABC News that while he agrees Hidden Lynx is “the most advanced” of the more than two dozen hacking groups he’s tracked out of China, he does not believe the group is a mercenary group, but instead in the sole employ of the Chinese government.
“The target choice is consistent with the priorities of the Chinese government or their state-owned enterprises,” said Alperovitch, who tracked the group under the name Aurora Panda — a reference to the Aurora hack of 2009 in which the group was allegedly involved. “We have also seen no evidence that this group is available for hire in the underground or overtly.”
Though now publicly identified, Symantec said in the paper that the company doesn’t expect Hidden Lynx to stop their attacks, but rather to continue and innovate new ways to infiltrated protected systems.
Near the final page of the Symantec report is a list of their products that the company says can “play a role in defending against this threat.” Critics have in the past criticized the cyber security industry for hyping virtual dangers in order to drive up demand for their own business.
Kapuria dismissed the notion with regard to the Hidden Lynx paper, saying that the description of their products is included simply because often when the company educates others about such threats, the first question they get is, “What can we do?”