Hackers Operating in the Interest of the Chinese Government Systematically Targeted Linux Servers, Windows Systems and Mobile Devices
Activity associated with five cyber-espionage groups acting in the interest of the Chinese government remained undetected for almost a decade, security researchers at BlackBerry say.
Successfully conducting cross-platform attacks targeting Linux, Windows and Android devices, the adversaries have been engaged in both financially motivated and targeted espionage attacks. The hackers are likely civilian contractors working in the interest of the Chinese government, BlackBerry believes.
The attackers “readily share tools, techniques, infrastructure, and targeting information with one another and their government counterparts. This reflects a highly agile government/contractor ecosystem,” the security researchers explain in a new report (PDF).
For years, these groups have been strategically targeting Linux servers (Red Hat Enterprise, CentOS, and Ubuntu Linux) across a broad range of industry verticals, exploiting the immature defensive coverage within the environment and the inadequate use of endpoint protection (EPP) and endpoint detection and response (EDR) products, BlackBerry notes.
Referred to as WINNTI GROUP, PASSCV, BRONZE UNION (EMISSARY PANDA), CASPER (LEAD), and the newly identified adversary WLNXSPLINTER, the five Advanced Persistent Threat (APT) groups are believed to be related, given similarities in tools, tactics and procedures (TTPs), which BlackBerry refers to as “the WINNTI approach.”
Although they have traditionally pursued different objectives and focused on numerous targets, the groups appear coordinated, particularly in their targeting of Linux platforms. Furthermore, the security researchers discovered a close resemblance between the WINNTI GROUP malware and the XOR DDoS botnet.
|“As China forges its role as one of the great world powers, it continues to rely upon a blast furnace of cyber espionage operations in order to acquire foreign technologies and intellectual property.” – BlackBerry
What’s more, the security researchers discovered that the Android version of the multi-platform, commercial, off-the-shelf remote administration tool (RAT) NetWire features code similarities with an Android implant (PWNDROID4) that was initially used two years before the tool arrived on the market.
The targeting of Linux systems, BlackBerry argues, is significant because the platform dominates the backend infrastructure of large modern data centers and powers roughly all (98%) of the most advanced supercomputers in the world.
“Linux runs the stock exchanges in New York, London and Tokyo, and nearly all the big tech and e-commerce giants are dependent on it, including the likes of Google, Yahoo, and Amazon. Most U.S. government agencies and the Department of Defense also rely heavily on the Linux operating system, and it runs virtually all of the top one-million websites and 75% of all web servers,” BlackBerry says.
This always-on, always-available nature of Linux servers has allowed the attackers to establish an operations beachhead in the targeted networks, while remaining virtually undetected for almost a decade, the security researchers say.
In the observed attacks, the adversaries leveraged Linux for the development of backdoors, kernel rootkits, and online-build environments, thus building a toolset that was aimed from the start to be difficult to detect.
Other threat actors target Linux as well (adversaries tied to China, Russia, and the United States), but Linux malware is overall rare compared to the sheer volume of malicious tools targeting Windows and MacOS operating systems. However, the aforementioned five adversaries have clearly been highly successful in their targeting of Linux, BlackBerry says.
Tools the hacking groups have developed and deployed to target Linux with include three backdoors (PWNLNX1, PWNLNX2, PWNLNX3), two rootkits (PWNLNX4, PWNLNX6), two build-groups used to create the rootkits, an installer script, a control panel (PWNLNX5), and the XOR.DDoS botnet.
The earliest sample identified appears to have been created in 2012, suggesting that the massive portfolio of tools has been in use for at least eight years.
Analysis of one of the backdoors, PWNLNX1, revealed not only a number of rootkit functions, but also a connection to the XOR.DDoS botnet: the use of /proc/rs_dev for rootkit functionality and of the same XOR key for network traffic obfuscation, namely “BB2FA36AAA9541F0.”
This, in addition to the targeting of the video game industry, led the researchers to the conclusion that both the backdoor and the botnet were the work of the same group.
PWNLNX2 and PWNLNX3 were found to be newer variants of PWNLNX1, while the PWNLNX4 and PWNLNX6 rootkits to be modified versions of the “Suterusu” rootkit. Additionally, BlackBerry discovered a variant of the Mirai botnet used by the CASPER group.
In their report, BlackBerry’s researchers provide an in-depth analysis of the newly discovered tools and their connections with previously known malware, as well as an overview of the attacker’s activity targeting Windows and mobile devices.
“This ensemble, who have spent the better part of the last decade successfully targeting organizations in stealthy cross-platform attacks, continue to operate relatively undetected while undertaking multiple strategic and economic espionage operations,” BlackBerry concludes.
“The groups being tracked by Blackberry have clearly made targeted shifts in their tools, tactics, and procedures (TTPs) to more effectively fly under the radar. By using malware signed with adware certificates to communicate with innocuous domain names hosted on public cloud providers, any alerts generated by the APT attack campaign tend to blend into the background. By camouflaging their campaigns in this manner, the attackers are making it increasingly difficult for defenders to identify breaches without productivity stifling security restrictions,” Craig Young, computer security researcher for Tripwire’s vulnerability and exposure research team (VERT), commented.