Coalition Fights Hacking Group

Wednesday, October 15, 2014 @ 04:10 PM gHale

A series of security vendors joined together in their fight against malware used by a group of hackers linked to cyberespionage campaigns.

In this case the group of hackers is a China-based team made up of up to 100 workers that take part in on-demand attacks, said researchers at Symantec, which calls the group “Hidden Lynx.”

Know Vulnerabilities, Threats to Manage Risk
Dragonfly: Pharma Industry Targeted
DHS ‘Ill-Prepared’ for Pandemics
Risk Assessment Software Released

Security researchers said the group has a great deal of resources and they are one of the first groups to use the “watering hole” attack method to spread malicious software to their targets.

This is the first initiative of this kind against an APT (advanced persistent threat) group, and it included intelligence from Cisco, FireEye, F-Secure, iSIGHT Partners, Microsoft, Tenable, ThreatConnect, ThreatTrack Security, Volexity, Novetta, and Symantec.

Operation SNM, the action ended up coordinated by Novetta, which does advanced analytics technology solutions, under Microsoft’s Coordinated Malware Eradication program.

Worth noting is all the members of the coalition are from the private sector and most of them are competitors for customers; however, they agreed to share intelligence about the malicious tools used by Hidden Lynx to infiltrate organizations.

This initiative is a step forward from individual threat reporting and toward a centralized system to identify threat actors involved in espionage campaigns.

Hidden Lynx’s main goal is to maintain a foothold into the network of the target, looking for ways to infiltrate deeper without triggering detection mechanisms.

Novetta said the targets range from large public network infrastructure providers to holders of extensive IP portfolios, and government entities from various countries in Asia and the United States.

Researchers observed that apart from malicious software, Hidden Lynx often resorts to compromising the security of the supply chain for the targeted organization in order to work their way into the network.

Novetta calls the bad guys “Axiom” and said they rely on “compromised mid-point infrastructure within Korea, Taiwan, Japan, Hong Kong and the United States to conduct exploitation operations.”

The threat group is capable of gaining privilege escalation, moving laterally on the network, and using custom backdoors.

During Operation SNM, the group targeted and exploited human resource management agencies, individuals in law enforcement organizations, media agencies in the US, Europe and Japan, international law firms, and a Ministry of Finance. All ended up targeted since September 2013.

Leave a Reply

You must be logged in to post a comment.