Researchers have discovered a group of highly sophisticated hackers operating for hire out of China, a U.S computer security company said on Tuesday, and it linked them to some of the best-known espionage attacks in recent years.
Symantec said the group, which it dubbed "Hidden Lynx," was among the most technically advanced of several dozen believed to be running cyber espionage operations out of China. Unlike a previous report by another company, Symantec did not accuse the Chinese government of involvement in the cyber attacks.
Symantec's 28-page report described Hidden Lynx as a "professional organisation" staffed by between 50 and 100 people with a variety of skills needed to breach networks and steal information, including valuable corporate secrets.
The company said its researchers believed Hidden Lynx might have been involved with the 2009 Operation Aurora attacks, the most well-known cyber espionage campaign uncovered to date against U.S. companies.
In Operation Aurora, hackers attacked Google, Adobe Systems and dozens of other companies. Google in January 2010 disclosed the attacks, in which hackers tried to read Gmail communications of human rights activists and to access and change source code at targeted companies.
Symantec researcher Liam O'Murchu said his company could not determine which individuals were behind Hidden Lynx or if it was linked to the Chinese government.
A separate study, released in February from U.S. computer security company Mandiant, said a secret unit of the Chinese military was engaged in cyber espionage on American companies. Beijing vehemently denied the accusations in that document, which contained photos of the building that Mandiant said was the unit's headquarters.
Symantec believes Hidden Lynx is based in China because much of the infrastructure used to run the attacks is there and because the malicious software was written using Chinese tools and with Chinese code, O'Murchu said.
The Symantec report attributed several recent attacks to Hidden Lynx, including a breach at cybersecurity firm Bit9 and follow-on attacks at three Bit9 clients.
It also connects Hidden Lynx to a major campaign dubbed Voho, which was discovered last year by EMC's RSA security company. Voho targeted hundreds of organizations, including financial service, technology and healthcare companies; defense contractors; and government agencies.
Symantec's report described the group as a "highly efficient team" capable of running multiple operations at once and of targeting specific organisations across a variety of industries. That profile suggests that they were hired guns working for clients seeking out very specific pieces of data, the report said.
For example, the financial services sector was the most heavily affected industry, representing about a quarter of targets since November 2011, according to Symantec.
While Symantec would not identify particular victims within the financial industry, it said they included companies with information on pending M&A activity. Such information might prove valuable to Hidden Lynx clients in negotiating takeovers or trading shares.
The victims did not include commercial banks, Symantec said.
Hidden Lynx's arsenal of tools included Trojan Naid and Trojan Moudoor, which siphoned data from infected computers.
Symantec, which sells software and services to protect corporate and consumer computer systems from cyber attacks like the ones mentioned in the report, said Naid was also used by hackers in Operation Aurora.
The Hidden Lynx hackers "were either responsible for the Aurora attack or were working in conjunction with the Aurora attackers," O'Murchu said.