April 7, 2020

Ten-year Chinese hacking operation targets Linux servers

By Robert Scammell

A decade-long cyber-espionage operation saw five advanced Chinese hacking groups coordinate to “systemically” target Linux servers in a bid to steal organisations’ intellectual property, a new report has found.

Researchers at Blackberry, which published the findings, believe the advanced persistent groups (APTs) were “operating in the interest of the Chinese government”.

Advanced Chinese hacking groups traditionally focus on separate objectives, but during this operation Blackberry observed a “significant degree of coordination” between the five APT groups.

This coordination was notable when APTs targeted Linux platforms, the operating system running nearly all of the top one million websites.

While Linux is not popular among desktops, it is installed on 75% of web servers, according to internet service firm Netcraft.

Linux is the preferred choice among cloud service providers and is the dominant operating system for the world’s supercomputers.

Blackberry is concerned that organisations have focused less on protecting back end infrastructure, allowing the Chinese APT groups to exploit potential security gaps.

“Linux is not typically user-facing, and most security companies focus their engineering and marketing attention on products designed for the front office instead of the server rack, so coverage for Linux is sparse” said Eric Cornelius, chief product architect at BlackBerry.

“These APT groups have zeroed in on that gap in security and leveraged it for their strategic advantage to steal intellectual property from targeted sectors for years without anyone noticing.”

Windows and Android also targeted

The Chinese APT groups have also targeted Windows and Android operating systems during their hacking operation.

Blackberry researchers discovered two new forms of Android malware during their analysis. One of these samples “very closely resembles the code in a commercially available penetration testing tool” despite it apparently being made two years before the commercial tool was made available, the researchers claim.

The report, titled ‘Decade of the RATs: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android’, notes that the cross-platform nature of the attacks raises concerns amid the increase in remote working during the coronavirus pandemic.

Intellectual property remains in enterprise data while security workers are stretched and forced to protect systems remotely.

The report notes that the tools used by the Chinese APT groups are “already in place” to the sharp increase in people working remotely during pandemic lockdowns.

While attribution of state-supported cyberattacks is notoriously difficult, the US Justice Department has in recent years ramped up efforts to hold hackers to account.

In February FBI Director Christopher Wray said that the agency has some 1,000 open investigations into the theft of US intellectual property by Chinese state actors “spanning just about every industry and sector”.

And on 10 February US federal prosecutors charged four members of China’s People’s Liberation Army over the 2017 Equifax hack, in which some 147 million customers of the credit reporting agency had their personal data stolen.

“This research paints a picture of an espionage effort targeting the very backbone of large organisations’ network infrastructure that is more systemic than has been previously acknowledged,” says John McClurg, chief information security officer at BlackBerry.

“This report opens another chapter in the Chinese IP theft story, providing us with new lessons to learn.”

Read more: Equifax hack: Four members of China’s military charged over mega breach

Related Report
GlobalData Thematic Research
GlobalData Thematic Research