A hacking team with unusual skill and persistence has penetrated more than 100 organizations around the world, including US defense contractors, investment banks, and security companies whose sole purpose is to defend against such attacks, according to a detailed report.

One of the best known exploits of the so-called Hidden Lynx group was the devastating compromise of security firm Bit9 in February. The Waltham, Massachusetts, company provides an "application whitelisting" service that allows customers to run only a small set of approved software on their PCs and networks. By hacking into the company's servers and stealing the private cryptographic keys Bit9 used to digitally sign legitimate apps, the intruders were able to infect more valuable targets inside military contracting firms who used the service.

Until now, little has been known about the group responsible for the Bit9 attack. Now, a detailed report released by security firm Symantec reveals it was a highly organized gang of hackers that has breached some 100 companies and government organizations around the world since 2009. They're dubbed the Hidden Lynx gang, based on a text string found on one of the command and control (C&C) servers they use to communicate with infected machines inside the organizations they compromise.

"From the evidence seen, it's clear that Hidden Lynx belongs to a professional organization," the report stated. It continued:

They operate in a highly efficient manner. They can attack on multiple fronts. They use the latest techniques, have access to a diverse set of exploits, and have highly customized tools to compromise target networks. Their attacks, carried out with such precision on a regular basis over long periods of time, would require a well-resourced and sizeable organization. They possess expertise in many areas, with teams of highly skilled individuals who can adapt rapidly to the changing landscape. This team could easily consist of 50-100 individuals. This level of resources would be needed to build these Trojans, maintain infection and C&C infrastructure, and pursue confidential information on multiple networks. They are highly skilled and experienced campaigners in pursuit of information of value to both commercial and governmental organizations.

The Bit9 intrusion underscores the resourcefulness and persistence of the group. As thorough as that attack was, the hack was a mere detour taken on a longer path in a much more serious campaign. Dubbed VOHO, that campaign targeted US defense contractors. As it turned out, many of the VOHO targets used Bit9's application whitelisting service to prevent malware infections.

"When the Hidden Lynx attackers' progress was blocked by this obstacle, they reconsidered their options and found that the best way around the protection was to compromise the heart of the protection system itself and subvert it for their own purpose," Symantec analysts wrote in a separate Web post. "This is exactly what they did when they diverted their attention to Bit9 and breached their systems. Once breached, the attackers quickly found their way into the file signing infrastructure that was the foundation of the Bit9 protection model. They then used this system to sign a number of malware files and then these files were used in turn to compromise the true intended targets."

The report said the group is divided into two teams that use separate malware tools and sometimes work independently of each other. Team Moudoor, named for the trojan they use, takes a large-scale approach that broadly penetrates organizations in the financial industry, local and federal government organizations, and organizations related to healthcare, education, and law. Team Naid, by contrast, is more of a special operations squad that keeps a low profile so it can save its resources for the highest-profile targets in the defense industrial base.

The group pioneered so-called watering hole attacks, which infect a site with malware in the hopes of compromising the high-value targets known to frequent it. Members wield advanced, zero-day attacks that exploit security vulnerabilities in Oracle's Java, Microsoft's Internet Explorer, and other widely used software frameworks or applications. The report said their tactics and exploits are far more advanced than those of the Comment Crew, a China-affiliated hacking crew that researchers from security firm Mandiant said has siphoned terabytes of sensitive data from 141 organizations over the past seven years. Hidden Lynx also wielded one of the trojans that was used by the group that breached Google and at least 34 other companies in 2010.

"Given the breadth and number of targets and regions involved, we infer that this group is most likely a professional hacker-for-hire operation that is contracted by clients to provide information," Symantec researchers wrote. "They steal on demand, whatever their clients are interested in, hence the wide variety and range of targets."