Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/7/2020
06:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Chinese APT Groups Targeted Enterprise Linux Systems in Decade-Long Data Theft Campaign

Organizations across multiple industries compromised in a systematic effort to steal IP and other sensitive business data, BlackBerry says.

Five related threat groups that for the past decade have been systematically stealing intellectual property from US companies seemingly on behalf of the Chinese government appear poised to do even more damage amid the COVID-19 pandemic.

The groups have successfully targeted companies in multiple critical industries via cross-platform attacks on back-end servers that are often used to store sensitive data. The attackers have focused especially on enterprise Linux servers because many of these systems are not typically as well protected as other key infrastructure, researchers at BlackBerry said in a report on the cyber espionage activities of the five groups.

The access that the threat groups have gained over the years on these networks now puts them in a position to maliciously exploit the recent surge in COVID-19-related teleworking, says Eric Cornelius, chief product architect at BlackBerry.

"The tools identified in these ongoing attack campaigns are already in place to take advantage of work-from-home mandates," Cornelius says. While the majority of the workforce is now teleworking, intellectual property remains on-premises on enterprise systems, many of which are Linux-based, he says. "The diminished number of personnel on-site to maintain security of these critical systems compounds the risks," Cornelius notes.

According to BlackBerry, the five China-based groups that it investigated for its report typically have pursued different objectives and targets. However, they have also collaborated with each other quite significantly in economic espionage and IP theft campaigns of interest to the Chinese government.

In recent years, such theft has evoked widespread concern and consternation in the US and other countries. The US government has accused China of attempting to leapfrog other countries by stealing critical trade secrets and IP from Western entities and using them to build its own products. Many believe the alleged data theft that is going on is designed to support major initiatives such as "Made in China 2025." The US government has opened some 1,000 investigations into China's espionage activity and handed down indictments against multiple individuals for cyber-enabled data theft.

The groups in BlackBerry's report have been operating under an approach that BlackBerry has dubbed WINNTI, under which groups of civilian contractors in China are assembled and attack tools and intelligence are shared in pursuit of a common goal.

Other security vendors have used the term WINNTI in association with a piece of malware. Some have assigned the name to an advanced persistent threat (APT) group and some have described WINNTI as an umbrella term for multiple APT groups working on behalf of the Chinese government. "We understand it more as an approach to fielding teams, which we assess are likely comprised of contractors with shifting missions," Cornelius says.

Four of the five groups in BlackBerry's report are previously known: Bronze Union (aka Emissary Panda, APT27), PassCV, Casper (aka Lead), and the original WINNTI APT group. The fifth is a Linux splinter cell group that BlackBerry is tracking as WLNXSPLINTER.

The groups have different targets and mission objectives but share several things in common, including, most significantly, the same Linux malware and infrastructure.

Full Stack of Linux Malware
Cornelius says BlackBerry found a full stack of Linux kernel-level malware being shared by the Chinese APT groups. The malware includes backdoors, remote access Trojans, and implants for carrying out a wide range of malicious activities. One of the groups also appeared to be connected to a massive Linux distributed denial-of-service botnet that researchers first observed in 2014 being used extensively against targets in Asia.

Together, the groups have targeted Red Hat Enterprise, CentOS, and Ubuntu Linux environments at organizations in nearly every geographic region and almost every industry vertical sector, including government, defense/military, technology, telecommunications, pharmaceuticals, manufacturing, and gaming. The attackers have been using compromised Linux servers as operational beachheads while remaining almost entirely undetected, BlackBerry said.

The choice of targeting is important because Linux servers are deployed extensively in enterprise data centers, including those belonging to major technology companies and e-commerce organizations, BlackBerry noted.

Many cloud service providers, too, use Linux servers to host enterprise data. Their always-on, always-available configurations have made Linux-based servers popular targets for state-sponsored groups, including those in China, Russia, and the United States, BlackBerry said. At the same time, many organizations are not as aware of the Linux threat landscape, and neither are they as well prepared to deal with it compared with threats directed at Windows and macOS environments, the vendor noted.

In addition to sharing Linux malware, all the five groups in BlackBerry's research also were observed attacking video gaming companies. The goal in these attacks was to steal code-signing certificates that the threat actors then used to sign their malware.

More recently, the threat actors have begun compromising adware developers and using their code-signing certificates to sign malware. The use of such code-signing software has allowed the threat groups to remain hidden in plain sight on compromised networks, BlackBerry said.

In addition to attacking Linux servers, the five threat groups have also quite extensively targeted back-end Windows systems and mobile devices running Android.

The Android malware samples that BlackBerry uncovered in its research included a WINNTI-developed implant for Android.

Curiously, the implant later became available as a multiplatform commercial remote administration tool from a company called World Wired Labs. The product is currently available as a legitimate tool for incident responders and systems administrators. According to Cornelius, there are striking similarities in code between the WINNTI-developed implant and the commercial tool despite the fact that the former predated the latter by nearly two years.

Related Content:

Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Navigating the Asia-Pacific Threat Landscape: Experts Dive In
Kelly Sheridan, Staff Editor, Dark Reading,  9/25/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26120
PUBLISHED: 2020-09-27
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even witho...
CVE-2020-26121
PUBLISHED: 2020-09-27
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an uploa...
CVE-2020-25812
PUBLISHED: 2020-09-27
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
CVE-2020-25813
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
CVE-2020-25814
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> ...