Chinese APT Groups Targeted Enterprise Linux Systems in Decade-Long Data Theft Campaign
Organizations across multiple industries compromised in a systematic effort to steal IP and other sensitive business data, BlackBerry says.
April 7, 2020
Five related threat groups that for the past decade have been systematically stealing intellectual property from US companies seemingly on behalf of the Chinese government appear poised to do even more damage amid the COVID-19 pandemic.
The groups have successfully targeted companies in multiple critical industries via cross-platform attacks on back-end servers that are often used to store sensitive data. The attackers have focused especially on enterprise Linux servers because many of these systems are not typically as well protected as other key infrastructure, researchers at BlackBerry said in a report on the cyber espionage activities of the five groups.
The access that the threat groups have gained over the years on these networks now puts them in a position to maliciously exploit the recent surge in COVID-19-related teleworking, says Eric Cornelius, chief product architect at BlackBerry.
"The tools identified in these ongoing attack campaigns are already in place to take advantage of work-from-home mandates," Cornelius says. While the majority of the workforce is now teleworking, intellectual property remains on-premises on enterprise systems, many of which are Linux-based, he says. "The diminished number of personnel on-site to maintain security of these critical systems compounds the risks," Cornelius notes.
According to BlackBerry, the five China-based groups that it investigated for its report typically have pursued different objectives and targets. However, they have also collaborated with each other quite significantly in economic espionage and IP theft campaigns of interest to the Chinese government.
In recent years, such theft has evoked widespread concern and consternation in the US and other countries. The US government has accused China of attempting to leapfrog other countries by stealing critical trade secrets and IP from Western entities and using them to build its own products. Many believe the alleged data theft that is going on is designed to support major initiatives such as "Made in China 2025." The US government has opened some 1,000 investigations into China's espionage activity and handed down indictments against multiple individuals for cyber-enabled data theft.
The groups in BlackBerry's report have been operating under an approach that BlackBerry has dubbed WINNTI, under which groups of civilian contractors in China are assembled and attack tools and intelligence are shared in pursuit of a common goal.
Other security vendors have used the term WINNTI in association with a piece of malware. Some have assigned the name to an advanced persistent threat (APT) group and some have described WINNTI as an umbrella term for multiple APT groups working on behalf of the Chinese government. "We understand it more as an approach to fielding teams, which we assess are likely comprised of contractors with shifting missions," Cornelius says.
Four of the five groups in BlackBerry's report are previously known: Bronze Union (aka Emissary Panda, APT27), PassCV, Casper (aka Lead), and the original WINNTI APT group. The fifth is a Linux splinter cell group that BlackBerry is tracking as WLNXSPLINTER.
The groups have different targets and mission objectives but share several things in common, including, most significantly, the same Linux malware and infrastructure.
Full Stack of Linux Malware
Cornelius says BlackBerry found a full stack of Linux kernel-level malware being shared by the Chinese APT groups. The malware includes backdoors, remote access Trojans, and implants for carrying out a wide range of malicious activities. One of the groups also appeared to be connected to a massive Linux distributed denial-of-service botnet that researchers first observed in 2014 being used extensively against targets in Asia.
Together, the groups have targeted Red Hat Enterprise, CentOS, and Ubuntu Linux environments at organizations in nearly every geographic region and almost every industry vertical sector, including government, defense/military, technology, telecommunications, pharmaceuticals, manufacturing, and gaming. The attackers have been using compromised Linux servers as operational beachheads while remaining almost entirely undetected, BlackBerry said.
The choice of targeting is important because Linux servers are deployed extensively in enterprise data centers, including those belonging to major technology companies and e-commerce organizations, BlackBerry noted.
Many cloud service providers, too, use Linux servers to host enterprise data. Their always-on, always-available configurations have made Linux-based servers popular targets for state-sponsored groups, including those in China, Russia, and the United States, BlackBerry said. At the same time, many organizations are not as aware of the Linux threat landscape, and neither are they as well prepared to deal with it compared with threats directed at Windows and macOS environments, the vendor noted.
In addition to sharing Linux malware, all the five groups in BlackBerry's research also were observed attacking video gaming companies. The goal in these attacks was to steal code-signing certificates that the threat actors then used to sign their malware.
More recently, the threat actors have begun compromising adware developers and using their code-signing certificates to sign malware. The use of such code-signing software has allowed the threat groups to remain hidden in plain sight on compromised networks, BlackBerry said.
In addition to attacking Linux servers, the five threat groups have also quite extensively targeted back-end Windows systems and mobile devices running Android.
The Android malware samples that BlackBerry uncovered in its research included a WINNTI-developed implant for Android.
Curiously, the implant later became available as a multiplatform commercial remote administration tool from a company called World Wired Labs. The product is currently available as a legitimate tool for incident responders and systems administrators. According to Cornelius, there are striking similarities in code between the WINNTI-developed implant and the commercial tool despite the fact that the former predated the latter by nearly two years.
Related Content:
Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19.
About the Author
You May Also Like