The name Hidden Lynx was assigned to the APT by experts at Symantec because they discovered a string with this name in the command and control server communications. According to the experts, the Hidden Lynx group is hackers for hire” time which appeared more aggressive of well-known groups such as APT1/Comment Crew.
As reported in the following Infograph, the Hikit backdoor has been used in cyber espionage attacks against a large number of entities in the US, Japan, Taiwan, South Korea, and other counties. The Hidden Lynx APT targeted practically every industry, including government, technology, research, defense and aerospace.
“Since then, Hidden Lynx has continued to use Hikit in its attacks against organizations predominantly in Taiwan, the US, Japan, and South Korea,” Symantec said. “In 2013, Hidden Lynx underwent a significant re-tooling effort, introducing two new malware tools, Backdoor.Fexel andBackdoor.Gresim, which it continues to use in conjunction with Hikit. Backdoor.Gresim was undiscovered prior to this collaboration effort.”
A joint force of experts composed by researchers from principal security companies (Symantec, Cisco Systems, FireEye, F-Secure, iSight Partners, ThreatConnect, Tenable, Microsoft, ThreatTrack Security and Volexity) conducted an operation dubbed ‘Operation SMN’ to target the Hikit backdoor and other malware used by the popular group.
The joint force was coordinated by security firm Novetta as part of Microsoft’s new Coordinated Malware Eradication program
“A coordinated operation involving Symantec and a number of other security companies has delivered a blow against Backdoor.Hikit and a number of other malware tools used by the Chinese-based cyberespionage group Hidden Lynx. Dubbed Operation SMN, this cross-industry collaboration has seen major security vendors share intelligence and resources, resulting in the creation of comprehensive, multi-vendor protection which may significantly blunt the effectiveness of this malware.” announced Symantec.
The operation allowed the expert to exchange threat intelligence data on the cyber threat, precious information on the techniques, tactics, and procedures (TTPs) which characterized the operations of the Hidden Lynx team.
“We felt it was important to take action proactively in coordination with our coalition security industry partners,” said Novetta CEO Peter B. LaMontagne, in a statement. “The cumulative effect of such coordinated approaches could prove quite disruptive to the adversaries in question and mitigate some of the threat activity that plagues the joint customer base of this coalition.”
Hikit is an insidious remote access Trojan (RAT) that has been used in attacks since 2011, security experts detected it as essetial malware in the arsenal of popular Chinese APT groups, including Hidden Lynx and Pupa (Deep Panda).
“Hidden Lynx used Hikit during its compromise of Bit9’s trusted file-signing infrastructure in 2012,” Symantec noted. “This attack was then leveraged to mount the VOHO campaign in July 2012 using Bit9-signed malware. The ultimate target of this campaign was US companies whose computers were protected by Bit9. Hikit once again played a key role in this attack campaign.”
A comprehensive technical report about the operation is set to be released October 28th.
(Security Affairs – Hidden Lynx, APT)