Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/7/2020
06:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Chinese APT Groups Targeted Enterprise Linux Systems in Decade-Long Data Theft Campaign

Organizations across multiple industries compromised in a systematic effort to steal IP and other sensitive business data, BlackBerry says.

Five related threat groups that for the past decade have been systematically stealing intellectual property from US companies seemingly on behalf of the Chinese government appear poised to do even more damage amid the COVID-19 pandemic.

The groups have successfully targeted companies in multiple critical industries via cross-platform attacks on back-end servers that are often used to store sensitive data. The attackers have focused especially on enterprise Linux servers because many of these systems are not typically as well protected as other key infrastructure, researchers at BlackBerry said in a report on the cyber espionage activities of the five groups.

The access that the threat groups have gained over the years on these networks now puts them in a position to maliciously exploit the recent surge in COVID-19-related teleworking, says Eric Cornelius, chief product architect at BlackBerry.

"The tools identified in these ongoing attack campaigns are already in place to take advantage of work-from-home mandates," Cornelius says. While the majority of the workforce is now teleworking, intellectual property remains on-premises on enterprise systems, many of which are Linux-based, he says. "The diminished number of personnel on-site to maintain security of these critical systems compounds the risks," Cornelius notes.

According to BlackBerry, the five China-based groups that it investigated for its report typically have pursued different objectives and targets. However, they have also collaborated with each other quite significantly in economic espionage and IP theft campaigns of interest to the Chinese government.

In recent years, such theft has evoked widespread concern and consternation in the US and other countries. The US government has accused China of attempting to leapfrog other countries by stealing critical trade secrets and IP from Western entities and using them to build its own products. Many believe the alleged data theft that is going on is designed to support major initiatives such as "Made in China 2025." The US government has opened some 1,000 investigations into China's espionage activity and handed down indictments against multiple individuals for cyber-enabled data theft.

The groups in BlackBerry's report have been operating under an approach that BlackBerry has dubbed WINNTI, under which groups of civilian contractors in China are assembled and attack tools and intelligence are shared in pursuit of a common goal.

Other security vendors have used the term WINNTI in association with a piece of malware. Some have assigned the name to an advanced persistent threat (APT) group and some have described WINNTI as an umbrella term for multiple APT groups working on behalf of the Chinese government. "We understand it more as an approach to fielding teams, which we assess are likely comprised of contractors with shifting missions," Cornelius says.

Four of the five groups in BlackBerry's report are previously known: Bronze Union (aka Emissary Panda, APT27), PassCV, Casper (aka Lead), and the original WINNTI APT group. The fifth is a Linux splinter cell group that BlackBerry is tracking as WLNXSPLINTER.

The groups have different targets and mission objectives but share several things in common, including, most significantly, the same Linux malware and infrastructure.

Full Stack of Linux Malware
Cornelius says BlackBerry found a full stack of Linux kernel-level malware being shared by the Chinese APT groups. The malware includes backdoors, remote access Trojans, and implants for carrying out a wide range of malicious activities. One of the groups also appeared to be connected to a massive Linux distributed denial-of-service botnet that researchers first observed in 2014 being used extensively against targets in Asia.

Together, the groups have targeted Red Hat Enterprise, CentOS, and Ubuntu Linux environments at organizations in nearly every geographic region and almost every industry vertical sector, including government, defense/military, technology, telecommunications, pharmaceuticals, manufacturing, and gaming. The attackers have been using compromised Linux servers as operational beachheads while remaining almost entirely undetected, BlackBerry said.

The choice of targeting is important because Linux servers are deployed extensively in enterprise data centers, including those belonging to major technology companies and e-commerce organizations, BlackBerry noted.

Many cloud service providers, too, use Linux servers to host enterprise data. Their always-on, always-available configurations have made Linux-based servers popular targets for state-sponsored groups, including those in China, Russia, and the United States, BlackBerry said. At the same time, many organizations are not as aware of the Linux threat landscape, and neither are they as well prepared to deal with it compared with threats directed at Windows and macOS environments, the vendor noted.

In addition to sharing Linux malware, all the five groups in BlackBerry's research also were observed attacking video gaming companies. The goal in these attacks was to steal code-signing certificates that the threat actors then used to sign their malware.

More recently, the threat actors have begun compromising adware developers and using their code-signing certificates to sign malware. The use of such code-signing software has allowed the threat groups to remain hidden in plain sight on compromised networks, BlackBerry said.

In addition to attacking Linux servers, the five threat groups have also quite extensively targeted back-end Windows systems and mobile devices running Android.

The Android malware samples that BlackBerry uncovered in its research included a WINNTI-developed implant for Android.

Curiously, the implant later became available as a multiplatform commercial remote administration tool from a company called World Wired Labs. The product is currently available as a legitimate tool for incident responders and systems administrators. According to Cornelius, there are striking similarities in code between the WINNTI-developed implant and the commercial tool despite the fact that the former predated the latter by nearly two years.

Related Content:

Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4177
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174732.
CVE-2020-4180
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 174735.
CVE-2020-4182
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174738.
CVE-2020-4187
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 could disclose sensitive information on the login page that could aid in further attacks against the system. IBM X-Force ID: 174805.
CVE-2020-4190
PUBLISHED: 2020-06-03
IBM Security Guardium 10.6, 11.0, and 11.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174851.