Decades of espionage in Linux servers

BlackBerry presented new study results and exposes the spy activity of five related Advanced Persistent Threat (APT) groups that work in the interests of the Chinese government, a press release. […]

The APT groups have so far pursued different goals and focused on a broad spectrum. (c) Joachim Roy – Fotolia

The “Decade of the RATs” report: Cross-platform APT espionage attacks on Linux, Windows, and Android provide insight into the ubiquitous industrial espionage targeting intellectual property – a topic that, according to the Canadian Department of Justice, is the focus of more than 1,000 open investigations .

The cross-platform nature of the attacks is particularly worrying against the background of security problems caused by the current increase in work from home offices. The tools identified in the attacks are already being used to take advantage of the home office situation, as is the smaller number of employees on site who ensure the protection of critical systems. While the majority of employees have left the office to curb the spread of the corona virus, valuable data remains in the company’s data centers, most of which run on Linux.

Linux operates almost all leading websites, 75 percent of all web servers, 98 percent of high-performance computers worldwide and 75 percent of the major cloud service providers (Netcraft, 2019, Linux Foundation, 2020). Most large organizations rely on Linux to manage websites and proxy network traffic, and to back up important data. The BlackBerry study examines how APTs have used the “Always on, always available” feature of Linux servers to gain access.

“Linux is usually not user-oriented. Most security companies focus on developing solutions that are designed for the front office rather than the server rack, so protection for Linux is insufficient, ”said Eric Cornelius, chief product architect at BlackBerry. “The APT groups took advantage of this vulnerability and stole intellectual property for years without anyone noticing.”

According to the report, other important results of the report are:

  • The APT groups investigated in this report are likely to be civilian contractors who work in the interests of the Chinese government and are willing to share tools, techniques, infrastructure, and targeted information with each other and with government officials, BlackBerry said.
  • The APT groups have so far pursued different goals and focused on a broad spectrum. However, it was found that there is significant collaboration between these groups, particularly as far as the Linux platforms are concerned.
  • The study identified two new examples of Android malware, confirming a trend that was identified in BlackBerry’s previous report, “Mobile Malware and APT Espionage: Prolific, Pervasive, and Cross-Platform”. This examined how APT groups used mobile malware in combination with traditional desktop malware in ongoing cross-platform surveillance and espionage campaigns.
  • One of the Android malware samples is very similar to the code of a commercially available penetration test tool, but the malware was created almost two years before the commercial tool was first purchased.
  • The study examines several new variants of known malware that are spread by virus protection through the use of code signature certificates as adware. This tactic is intended to increase the attack rate, as it is hoped that the red AV flags will only be dismissed as another sign of constant adware warnings.
  • Research also shows an attacker’s evolution towards using cloud service providers for command-and-control (C2) and data exfiltration communications, which appear to be trusted network traffic.

“Our analysis paints a picture of espionage that targets the backbone of large organizations’ network infrastructure and is more systemic than previously thought,” said John McClurg, chief information security officer at BlackBerry. “The results form another chapter in the history of Chinese IP theft and provide us with new insights from which we can learn.”


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.