Symantec, which has dubbed the hacking gang "Hidden Lynx", believes that they have been operating since at least 2009, and are a "professional team of attackers with advanced capabilities" creating customised Trojan horses, and could number between 50 and 100 individuals.
And the group's hacking activities weren't limited to application whitelisting firm Bit9. According to Symantec, Hidden Lynx is likely to be offering a "hackers for hire" service stealing data from a range of corporate and government targets around the world.
Indeed, it appears that the reason that Bit9 was hacked was because Hidden Lynx's real intended targetes were US defence contractors, many of whom had been relying on Bit9's application whitelisting technology to prevent infection from unknown malware.
Symantec says that the attacks underline the importance of not relying upon one particular technology, but to adopt a layered defence:
From the evidence seen, it’s clear that Hidden Lynx belongs to a professional organization. They operate in a highly efficient manner. They can attack on multiple fronts. They use the latest techniques, have access to a diverse set of exploits and have highly customized tools to compromise target networks. Their attacks, carried out with such precision on a regular basis over long periods of time, would require a well-resourced and sizeable organization. They possess expertise in many areas, with teams of highly skilled individuals who can adapt rapidly to the changing landscape. This team could easily consist of 50-100 individuals. This level of resources would be needed to build these Trojans, maintain infection and C&C infrastructure and pursue confidential information on multiple networks. They are highly skilled and experienced campaigners in pursuit of information of value to both commercial and governmental organizations.
The incident in Bit9, which ultimately led to successful compromises of hard-to-crack targets during the VOHO campaign, only serves to highlight this fact. The evolving targeted attack landscape is becoming increasingly sophisticated. As organizations implement security counter-measures, the attackers are adapting at a rapid rate. With a growing number of threat actors participating in these campaigns, organizations have to understand that sophisticated attackers are working hard to bypass each layer of security. It’s no longer safe to assume that any one solution will protect a company’s assets. A variety of solutions need to be combined and, with a better understanding of the adversary, tailored to adequately protect the information of most interest to the attackers.
According to Symantec's detailed report [PDF], corporate espionage and attacks against government contractors are the order of the day for Hidden Lynx, exploiting zero day Internet Explorer vulnerabilities and distributing malicious Java applets via watering hole attacks.
Two separate teams are said to make up Hidden Lynx.
Team Moudoor, which distributes the Moudoor backdoor Trojan horse (a customised version of Gh0st RAT), concentrates its efforts on broad corporate espionage campaigns against several industries - including the financial sector, all levels of government, education and law in their hunt for sensitive information which could be of interest to nation states and other bodies.
Team Naid, meanwhile, is said to be used more sparingly and is deployed for more limited attacks against high value targets.
Symantec didn't waste any time taking advantage of the intelligence they had gathered - they got their marketing team to produce a natty infographic:
Joking aside, Symantec's research makes for an interesting and worthwhile read.
Discover more in Symantec's technical paper: "Hidden Lynx – Professional Hackers for Hire" [PDF]