Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:45 PM
Connect Directly

Chinese APT Groups Targeted Enterprise Linux Systems in Decade-Long Data Theft Campaign

Organizations across multiple industries compromised in a systematic effort to steal IP and other sensitive business data, BlackBerry says.

Five related threat groups that for the past decade have been systematically stealing intellectual property from US companies seemingly on behalf of the Chinese government appear poised to do even more damage amid the COVID-19 pandemic.

The groups have successfully targeted companies in multiple critical industries via cross-platform attacks on back-end servers that are often used to store sensitive data. The attackers have focused especially on enterprise Linux servers because many of these systems are not typically as well protected as other key infrastructure, researchers at BlackBerry said in a report on the cyber espionage activities of the five groups.

The access that the threat groups have gained over the years on these networks now puts them in a position to maliciously exploit the recent surge in COVID-19-related teleworking, says Eric Cornelius, chief product architect at BlackBerry.

"The tools identified in these ongoing attack campaigns are already in place to take advantage of work-from-home mandates," Cornelius says. While the majority of the workforce is now teleworking, intellectual property remains on-premises on enterprise systems, many of which are Linux-based, he says. "The diminished number of personnel on-site to maintain security of these critical systems compounds the risks," Cornelius notes.

According to BlackBerry, the five China-based groups that it investigated for its report typically have pursued different objectives and targets. However, they have also collaborated with each other quite significantly in economic espionage and IP theft campaigns of interest to the Chinese government.

In recent years, such theft has evoked widespread concern and consternation in the US and other countries. The US government has accused China of attempting to leapfrog other countries by stealing critical trade secrets and IP from Western entities and using them to build its own products. Many believe the alleged data theft that is going on is designed to support major initiatives such as "Made in China 2025." The US government has opened some 1,000 investigations into China's espionage activity and handed down indictments against multiple individuals for cyber-enabled data theft.

The groups in BlackBerry's report have been operating under an approach that BlackBerry has dubbed WINNTI, under which groups of civilian contractors in China are assembled and attack tools and intelligence are shared in pursuit of a common goal.

Other security vendors have used the term WINNTI in association with a piece of malware. Some have assigned the name to an advanced persistent threat (APT) group and some have described WINNTI as an umbrella term for multiple APT groups working on behalf of the Chinese government. "We understand it more as an approach to fielding teams, which we assess are likely comprised of contractors with shifting missions," Cornelius says.

Four of the five groups in BlackBerry's report are previously known: Bronze Union (aka Emissary Panda, APT27), PassCV, Casper (aka Lead), and the original WINNTI APT group. The fifth is a Linux splinter cell group that BlackBerry is tracking as WLNXSPLINTER.

The groups have different targets and mission objectives but share several things in common, including, most significantly, the same Linux malware and infrastructure.

Full Stack of Linux Malware
Cornelius says BlackBerry found a full stack of Linux kernel-level malware being shared by the Chinese APT groups. The malware includes backdoors, remote access Trojans, and implants for carrying out a wide range of malicious activities. One of the groups also appeared to be connected to a massive Linux distributed denial-of-service botnet that researchers first observed in 2014 being used extensively against targets in Asia.

Together, the groups have targeted Red Hat Enterprise, CentOS, and Ubuntu Linux environments at organizations in nearly every geographic region and almost every industry vertical sector, including government, defense/military, technology, telecommunications, pharmaceuticals, manufacturing, and gaming. The attackers have been using compromised Linux servers as operational beachheads while remaining almost entirely undetected, BlackBerry said.

The choice of targeting is important because Linux servers are deployed extensively in enterprise data centers, including those belonging to major technology companies and e-commerce organizations, BlackBerry noted.

Many cloud service providers, too, use Linux servers to host enterprise data. Their always-on, always-available configurations have made Linux-based servers popular targets for state-sponsored groups, including those in China, Russia, and the United States, BlackBerry said. At the same time, many organizations are not as aware of the Linux threat landscape, and neither are they as well prepared to deal with it compared with threats directed at Windows and macOS environments, the vendor noted.

In addition to sharing Linux malware, all the five groups in BlackBerry's research also were observed attacking video gaming companies. The goal in these attacks was to steal code-signing certificates that the threat actors then used to sign their malware.

More recently, the threat actors have begun compromising adware developers and using their code-signing certificates to sign malware. The use of such code-signing software has allowed the threat groups to remain hidden in plain sight on compromised networks, BlackBerry said.

In addition to attacking Linux servers, the five threat groups have also quite extensively targeted back-end Windows systems and mobile devices running Android.

The Android malware samples that BlackBerry uncovered in its research included a WINNTI-developed implant for Android.

Curiously, the implant later became available as a multiplatform commercial remote administration tool from a company called World Wired Labs. The product is currently available as a legitimate tool for incident responders and systems administrators. According to Cornelius, there are striking similarities in code between the WINNTI-developed implant and the commercial tool despite the fact that the former predated the latter by nearly two years.

Related Content:

Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd