Chinese hackers have targeted Linux systems for nearly 10 years
BlackBerry experts have uncovered a campaign that has remained invisible for nearly a decade by several Chinese government-linked hacker groups targeting Linux systems in particular.
It often happens that the detection of an attack takes time, but the campaign discovered by BlackBerry security specialists is to be classified in the non-standard category. For nearly a decade, five related Advanced Persistent Threat (APT) groups operating in the interests of the Chinese government have systematically targeted Linux servers, Windows systems and Android devices.
In the report “Decade of the RATs: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android” (available by subscription), experts indicate that APT groups have successfully targeted companies in many critical sectors through cross-platform attacks on back-end servers used to store sensitive data. The purpose of the attacks was to steal intellectual property, the subject of more than 1,000 open investigations spread across 56 FBI offices according to the US Department of Justice. They focused on companies’ Linux servers, considering them “a bridgehead in the network” and that they are generally not as well protected as other key infrastructures. The groups focused on RHEL, CentOS and Ubuntu environments.
Coordinated and elaborate attacks
The report insists that the APT groups (WINNTI GROUP, PASSCV, BRONZE UNION, CASPER (LEAD) and WLNXSPLINTER) acted in a coordinated way, using cross-platform and open source tools. This last point takes on a particular perspective with the sudden and rapid development of teleworking. “The intellectual property remains in the company’s servers, which are mostly Linux-based, and there are fewer people to ensure the security of these systems,” observes Eric Cornelius, chief product architect at BlackBerry.
The report details the techniques used by the different groups. For Linux, the malware portfolio includes backdoors, RATs (remote access trojan), botnet support to perform DDoS on Linux systems (active since 2014). For Android, one group used software that closely resembles the code of a commercially available penetration testing tool, Netwire. However, this malware seems to have been created almost two years before the launch of the commercial tool. Finally, the study highlights the fact that attackers tend to use cloud service providers for command and control (C2) communications and data exfiltration which initially appears to be a trusted network.