BlackBerry released a detailed research report that examines how five related Advanced Persistent Threat (APT) groups systemically targeted Linux, Windows and Android systems undetected for nearly a decade.
Titled ‘Decade of the RATs: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android,’ the report will be available for download on BlackBerry’s website.
The APT groups, which the Waterloo, Ontario-based company says operate in the interest of the Chinese government, take advantage of gaps in existing security to conduct ‘economic espionage.’ Specifically, the groups target intellectual property.
BlackBerry notes that the issue is so prevalent, the U.S. Department of Justice says it is the focus of over 1,000 open investigations across all 56 FBI field offices.
Worse, the cross-platform nature of the attacks from these APT groups is particularly concerning given the recent shift to remote work in an effort to mitigate the spread of COVID-19. BlackBerry identified tools used in the ongoing attack campaigns are already able to take advantage of work-from-home mandates. Further, with the diminished number of onsite personnel maintaining the security of critical systems, BlackBerry says the risks are compounded.
Linux forms the core of enterprises’ network structure and it’s the primary target of these groups
One of the central issues is that intellectual property resides in enterprise data centres, the majority of which run on Linux. BlackBerry notes that nearly all of the top 1 million websites, 75 percent of all web serves, 98 percent of the world’s supercomputers and 75 percent of major cloud service providers run on Linux. The APT groups leverage Linux’s “always on, always available” nature to attack a variety of targets.
Additionally, the report notes that the APT groups are likely comprised of civilian contractors. The contractors work in the interest of the Chinese government and share tools, techniques, infrastructure and targetting information with one another and their government counterparts. Further, while the groups traditionally pursued different objectives and targets, BlackBerry says there is a significant amount of coordination between the groups, particularly when targetting Linux platforms.
On top of that, the research identifies two new examples of Android malware used alongside traditional desktop malware to ongoing cross-platform surveillance and espionage campaigns. Additionally, the research examines several new variants of well-known malware using code-signing certificates for adware to slip passed network defenders. It appears attackers hope that by identifying as adware, it can be harder to distinguish the malware from the near-constant stream of adware alerts.
BlackBerry’s chief information security officer, John McClurg, says the “research paints a picture of an espionage effort targeting the very backbone of large organizations’ network infrastructure.”
You can learn more or access the BlackBerry report for yourself on the company’s website.