ETDA ThaiCERT
Report
Search
Home > List all groups > Hidden Lynx, Aurora Panda

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Hidden Lynx, Aurora Panda

NamesHidden Lynx (Symantec)
Aurora Panda (CrowdStrike)
Group 8 (Talos)
CountryChina China
MotivationInformation theft and espionage
First seen2009
Description(Symantec) The Hidden Lynx group has been in operation since at least 2009 and is most likely a professional organization that offers a “hackers for hire” service. They have the capability to attack many organizations with concurrently running campaigns. They operate efficiently and move quickly and methodically. Based on these factors, the Hidden Lynx group would need to be a sizeable organization made up of between 50 and 100 individuals.

Much of the attack infrastructure and tools used during these campaigns originate from network infrastructure in China. The Hidden Lynx group makes regular use of zero-day exploits and has the ability to rework and customize exploits quickly. They are methodical in their approach and they display a skillset far in advance of some other attack groups also operating in that region, such as the Comment Crew (also known as APT1). The Hidden Lynx group is an advanced persistent threat that has been in operation for at least four years and is breaking into some of the best-protected organizations in the world. With a zero-day attack already under their belt in 2013, they continue to operate at the leading edge of targeted attacks.

This group appears to be closely associated with APT 17, Deputy Dog, Elderwood, Sneaky Panda.
ObservedSectors: Construction, Defense, Education, Financial, Food and Agriculture, Engineering, Healthcare, IT, Government, Media, Non-profit organizations, Pharmaceutical, Retail and lawyers.
Countries: Australia, Canada, China, France, Germany, Hong Kong, India, Japan, Russia, Singapore, South Korea, Taiwan, UK, Ukraine, USA.
Tools usedBlackCoffee, HiKit, Moudoor, Naid.
Operations performedJun 2012VOHO campaign
The VOHO campaign, first publicized by RSA, is one of the largest and most successful watering-hole attacks to date. The campaign combined both regional and industry-specific attacks and predominantly targeted organizations that operate in the United States. In a rapidly spreading two-phase attack, which started on June 25 and finished July 18, nearly 4,000 machines had downloaded a malicious payload. These payloads were being delivered to unsuspecting victims from legitimate websites that were strategically compromised.
<https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf>
Jul 2012Breach of the Bit9 website
<https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/>
Counter operations2014Operation “SMN”
Security vendors take action against Hidden Lynx malware
<https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware>
Information<https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf>
<https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire>
<https://www.recordedfuture.com/hidden-lynx-analysis/>

Last change to this card: 16 May 2020

Download this actor card in PDF or JSON format

Previous: Hexane
Next: Honeybee

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key