www.recordedfuture.com Open in urlscan Pro
104.18.43.111  Public Scan

Form analysis
0 forms found in the DOM

Text Content

This website stores cookies on your computer. These cookies are used to improve
your website experience and provide more personalized services to you, both on
this website and through other media. To find out more about the cookies we use,
see our Privacy Policy.

Accept

 * Careers
 * Contact Us
 * Login
 * ENJPKO
   
   EN
   

 * Platform
 * Solutions
 * Products
 * Services
 * Research
 * Resources
 * Company

Get a demo

Book a demo



Blog


HUNTING HIDDEN LYNX: HOW OSINT IS CRUCIAL FOR APT ANALYSIS

Posted: 1st May 2014
By: CHRIS


THREAT INTELLIGENCE BROWSER EXTENSION

Access instant threat intelligence and risk scores directly in any web app with
our one-click browser extension

Download for Free


ANALYSIS SUMMARY

 * Visualization of open source intelligence on APTs reveals overlapping
   infrastructure, tools, and exploits used in the VOHO campaign and Operations
   Aurora, DeputyDog, and Ephemeral Hydra.

 * Two vulnerabilities were identified as exploited by Hidden Lynx in its VOHO
   campaign (2012) and the Elderwood Gang responsible for Operation Aurora
   (2010). Command and control infrastructure was also shared between Hidden
   Lynx and threat actors responsible for two campaigns during 2013: Operation
   DeputyDog and Operation Ephemeral Hydra.

 * Threat intelligence derived from disparate open web sources bolsters security
   efforts by identifying and contextualizing links between threat actors.

When the_New York Times_ and Mandiant last year unmasked a large scale Chinese
hacking operation, pinpointing its location down to the building, the report
drew mainstream attention to what security professionals already well knew:
sophisticated threat actors carry out persistent cyber operations over months
and years.

This post illustrates how open source intelligence (OSINT) from the web is not
only useful but crucial to threat intelligence teams analyzing advanced
persistent threats. Through OSINT analysis, we discover clues to APT attack
methods that link together the research of independent threat intelligence
teams, suggesting new lines of analysis that were not prominent when looking at
the work of any single threat intel team in isolation.

We will detail how the C&C infrastructure and tools used by hacker group Hidden
Lynx during its VOHO campaign (2012), excellently documented by Symantec
researchers last September, overlap with tools used in other high profile
operations during the past few years. The other campaigns evaluated are
Operation Aurora (2010), Operation DeputyDog (2013), and Ephemeral Hydra (2013).


HISTORY OF HIDDEN LYNX MALWARE

Security researchers have shown time and again that cyber actors frequently
recycle effective attack methods. These attack methods retain telltale
signatures even as a threat actor’s targeting and tools evolve. Therefore, our
investigation looked for clues that linked hackers across one or more of the
campaigns in question.

Seeking to tease out any possible links between Operation Aurora, VOHO,
Operation DeputyDog, and Ephemeral Hydra, we began with Symantec’s Hidden Lynx
report as our foundation. The authors of that report identify three primary
tools used in the campaigns attributed to Hidden Lynx: Trojan.Naid,
Backdoor.Moudoor, and Backdoor.Hikit.

Using Recorded Future, we quickly built a timeline of the reported use of those
tools in major security incidents, finding many events prior to the early 2013
exposé on Hidden Lynx.



CLICK IMAGE FOR LARGER VIEW


CONNECTING THE DOTS

Our analysis, based solely on information openly available on the web, builds on
significant technical research that has explicitly linked elements of the
aforementioned campaigns. In particular, FireEye during the fall of 2013 called
out infrastructure overlap between Ephemeral Hydra and DeputyDog.

Aspects of these two campaigns used tools and C&C infrastructure reportedly used
by Hidden Lynx. These include a Hydraq/McRAT variant with lineage traceable to
Aurora. Symantec during 2012 linked the Elderwood Project to Operation Aurora;
Trojan.Naid and Backdoor.Moudoor were also used in Aurora, by the Elderwood
Gang, and by Hidden Lynx.

A brief summary of targets for each campaign:

 * Aurora: Technology, Finance, Energy and Defense

 * Elderwood: Defense and Supply Chain

 * VOHO: Government, Defense, and Education (Hidden Lynx separately targeted
   Finance)

 * DeputyDog: Government (Japan and China)

 * Ephemeral Hydra: Government and Defense

Much of the above was well documented. However, some connections described over
the course of several years, oftentimes by different research teams published
across a variety of sources, are difficult to recall or might even be obscured
by more recent information.



What links did we discover in analysis using Recorded Future?

 * Two vulnerabilities were found to be exploited by both the Elderwood Gang and
   Hidden Lynx: CVE-2012-1875 and CVE-2012-1889.

 * One of those common exploits, targeting CVE-2012-1889, was on November 22,
   2012 reportedly added to the “popular” Gong Da exploit kit.

 * Three C&C servers were known to be shared between VOHO and various elements
   of Operation DeputyDog and Operation Ephemeral Hydra: 58[.]64[.]143[.]244,
   66[.]153[.]86[.]14, 111[.]68[.]9[.]93

 * Backdoor.Hikit, which appears to have been developed post-Operation Aurora,
   was used in both VOHO and DeputyDog campaigns.

 * Reported use of the Hydraq Trojan from Aurora (2010) fell off until September
   2012. The delivery method appears to have then switched from spearphishing to
   a watering hole attack when a variant of Hydraq was discovered in Ephemeral
   Hydra during November 2013.



CLICK IMAGE FOR LARGER VIEW

The above network shows relationships between three tools used by Hidden Lynx
during its VOHO campaign: Trojan.Naid, Backdoor.Moudoor, and Backdoor.Hikit. The
connections indicate actors, targets, vulnerabilities, and technical information
related to those tools. Note the density of connections between Moudoor and
Naid, which are commonly reported as complementary tools.

Trojan.Naid specifically was used to attack security firm Bit9 ultimately
compromising its digital code signing certificate. This allowed the hackers to
then take on higher value targets as part of the VOHO campaign. Naid was also
used in the 2010 campaign known as Operation Aurora.

One of the key findings noted above was the identification of two
vulnerabilities that were exploited by both Hidden Lynx and the Elderwood Gang,
which has been linked to Operation Aurora. CVE-2012-1875 and CVE-2012-1889 are
at the center of the network below, surrounded by targets and other related
vulnerabilities.



CLICK IMAGE FOR LARGER VIEW

After visualizing these links, we explored the vulnerabilities at the edges of
the graph, looking for connections with exploits used in other campaigns. We
found such a link in CVE-2013-3893, which was leveraged in the August 2013
attacks on Japanese targets that FireEye dubbed Operation DeputyDog.

Similar to our approach with Symantec’s report on Hidden Lynx, we used Recorded
Future to organize the technical details about the DeputyDog attacks to reveal
technical information described in the open source reporting across multiple
campaigns.



CLICK IMAGE FOR LARGER VIEW

The above network shows technical details and locations, both server hosts and
targets, related to Operation DeputyDog. This enabled creation of useful lists
for us to seek overlap with other operations, establish the timing of exploits
and C&C infrastructure used, and arrange alerts for ongoing monitoring.

To wrap up our investigation, we built a timeline of events related to the IP
addresses associated with both Hidden Lynx campaigns as well as operations
DeputyDog and Ephemeral Hydra. The timeline details events related to the three
previously cited IPs – 58.65[.]143[.]244, 66[.]153[.]86[.]14, and
111[.]68[.]9[.]93 – used in both the Bit9 attacks and either DeputyDog or
Ephemeral Hydra.

Analysts were able to track 66[.]153[.]86[.]14 back to an email address linking
DeputyDog and the Hidden Lynx VOHO campaign. Separate analyses in November 2013
describe C&C servers used by Trojan.APT.9002 also used in the Hidden Lynx
attacks against Bit9.



CLICK IMAGE FOR LARGER VIEW


REVEALING LINKS AND CONTEXT WITH WEB INTELLIGENCE

This investigation sheds new light on these campaigns, without depending on
private or freshly disclosed technical intelligence. Once assembled and
structured for analysis, the collective knowledge about Hidden Lynx and many
other APT campaigns, some publicly available for years, allows us to better
understand intent and capabilities.

We often hear leaders lament the present state of intelligence sharing, and
advocate for new approaches with hold great promise. Meanwhile, large amounts of
intelligence are already being shared in open source reporting. To yield
insights, we must deal with great variety in sources and formats. The above data
points were derived from PDFs, blog posts, and write ups from security firms
coming from hundreds of websites. Recorded Future captures and structures that
information, and provides analytic tools to help quickly make sense of this
information from disparate sources.

The results of such threat actor and campaign analysis, corroborating evidence
across multiple sources and linking technical details across security blogs,
social media, and research forums, are insights that are useful from incident
response to threat intelligence.



RELATED BLOG

Blog

LEADING WITH INTELLIGENCE: WINNING AGAINST CREDENTIAL THEFT

Are security analytics the key to improving transparency and managing legal or
compliance risks?

View Blog
Blog

THREAT INTELLIGENCE IN AN ACTIVE CYBER DEFENSE (PART 2)

Threat intelligence can be used in a number of ways, especially as part of an
active cyber defense.

View Blog
Blog

INTELLIGENCE TO RISK

Threats become risks when reasonable controls are absent or lacking. In
business, the distinction between threats and risks may be clear, but there is
nuance in both the analysis and the final classification.

View Blog


ABOUT US

 * Intelligence Cloud
 * Services & Support
 * Research
 * Resources
 * Company

HELPFUL LINKS

 * Careers
 * Contact Us
 * Get a Demo
 * The Intelligence Graph

--------------------------------------------------------------------------------

JOIN US ONLINE

 * 
 * 
 * 
 * 
 * 

WANT TO LEARN MORE?

Contact us today

Copyright © 2023 Recorded Future, Inc.
 * Security FAQ
 * Cookies
 * Privacy Policy
 * Terms & Conditions