Kevin Haley

The emergence of attackers-for-hire is a troubling trend in cybercrime, and one particular group is changing its techniques to gain access to computer systems, says Symantec researcher Kevin Haley.

A China-based group known as Hidden Lynx is a well-funded network of cyber-attackers that's leasing its services for targeted campaigns, says Haley, director of Symantec's security response team. The group has been responsible for five attacks in the last two and a half years, Haley says

Symantec learned that Hidden Lynx was involved in Operation Aurora in 2009, which targeted Google and 30 other businesses. "We discovered that this group was involved in that because one of their pieces of malware was actually used in that attack," Haley says in an interview with Information Security Media Group [transcript below].

"What we see is an evolution," he says. "We're seeing a higher volume of attacks being launched and managed; we're seeing an increase in the sophistication of what they're doing; and we've actually seen new attack techniques developed by this team."

For four years, Haley and his team have been closely tracking the activities of these attackers-for-hire.

During this interview, Haley:

Describes how Hidden Lynx' attacks have evolved; Explains that the group focuses on cyber-espionage designed to steal information, rather than distributed-denial-of-service attacks; and Outlines steps organizations should take to enhance their cyberdefenses in light of the attackers-for-hire trend.

Haley is responsible for Symantec's global intelligence network, where he educates consumers and customers about security issues. During his 13 years at company, Haley has helped develop its anti-virus solutions for endpoints and mail servers and create network and system management solutions. Earlier, he worked on software distribution tools at Hewlett-Packard and was a product manager at Sun Microsystems.

Hidden Lynx

TRACY KITTEN: What can you tell us about the group Hidden Lynx and who's behind it?

KEVIN HALEY: It's a highly sophisticated group of hackers who have been around for some time now and launched numerous campaigns against numerous industries. It's really this broad reach that they have, the number of different types of organizations that they've attacked, that makes us believe that they're a hacker-for-hire type of organization.

KITTEN: How long have you been tracking this group, and what have you learned about its origins?

HALEY: We've been tracking this group since 2009. It's just that back in 2009 we weren't aware of the scope of what this group was involved in. In the last several years, we've been really able to start putting all the pieces together to understand that multiple attacks are all the responsibility from this group. That led up to the research that we just published.

KITTEN: Which industries have been targeted so far and over what period of time?

HALEY: Over the last several years, a whole host of industries have been targeted. About a quarter to 30 percent of those attacks were against the financial or investment industry and another 25 percent against government. But we've also seen attacks against healthcare, engineering, education, legal, retail, pharmaceutical, food and the defense industry.

Two Teams

KITTEN: One thing that I found fascinating is the fact that Symantec believes that Hidden Lynx actually comprises two separate teams. Why do you think that two separate teams are actually involved in this group?

HALEY: It looks like there's actually an A and a B team. The B team is called in to do general types of attacks, and we see one particular piece of malware and a way of operating that's very prevalent and involved in a lot of these attacks. But there's another group within Hidden Lynx that appears only to be called out for the very hard jobs. They have more stealth malware and they're attacking very specific targets that are the hardest ones to get in.

KITTEN: Beyond the fact that you have one group that's brought in when the attacks are a little bit more sophisticated or difficult, do the teams have different focuses?