For the past few years, reports have continued to emerge detailing the activities of actors behind various targeted attacks or Advanced Persistent Threats (APTs). Here at Symantec Security Response, we’ve been keeping our eyes on a group that we believe are among the best of breed. We’ve given them the name of Hidden Lynx—after a string that was found in the command and control server communications. This group has a hunger and drive that surpass other well-known groups such as APT1/Comment Crew. Key characteristics of this group are:
- technical prowess
- sheer resourcefulness
These attributes are shown by the relentless campaigns waged against multiple concurrent targets over a sustained period of time. They are the pioneers of the “watering hole” technique used to ambush targets, they have early access to zero-day vulnerabilities, and they have the tenacity and patience of an intelligent hunter to compromise the supply chain to get at the true target. These supply chain attacks are carried out by infecting computers at a supplier of an intended target and then waiting for the infected computers to be installed and call home, clearly these are cool calculated actions rather than impulsive forays of amateurs.
This group doesn’t just limit itself to a handful of targets; instead it targets hundreds of different organizations in many different regions, even concurrently. Given the breadth and number of targets and regions involved, we infer that this group is most likely a professional hacker-for-hire operation that are contracted by clients to provide information. They steal on demand, whatever their clients are interested in, hence the wide variety and range of targets.
We also believe that to carry out attacks of this scale, the group must have considerable hacking expertise at its disposal, perhaps 50 to 100 operatives are employed and organized into at least two distinct teams both tasked with carrying out different activities using different tools and techniques. These types of attacks require time and effort to carry out, some of the campaigns require research and intelligence gathering before any successful attacks can be mounted.
At the front line of this group is a team that uses disposable tools along with basic but effective techniques to attack many different targets. They may also act as intelligence collectors too. This team we call Team Moudoor after the name of the Trojan that they use. Moudoor is a back door Trojan that the team uses liberally without worry about discovery by security firms. The other team acts like a special operations unit, elite personnel used to crack the most valuable or toughest targets. The elite team uses a Trojan named Naid and are therefore referred to as Team Naid. Unlike Moudoor, the Naid Trojan is used sparingly and with care to avoid detection and capture, like a secret weapon that is only used when failure is not an option. Read the entire article>>