Five related APT groups operating in the interest of the Chinese government have systematically targeted Linux servers, Windows systems and Android mobile devices in a prolonged cross-platform attack, Canadian security software and services firm Blackberry claims.
According to a new report, the examined APT groups are likely comprised of civilian contractors working in the interest of the Chinese government who readily share tools, techniques, infrastructure, and targeting information with one another and their government counterparts.
Four of the five groups described in the report are previously known threat actors: Bronze Union (also known as Emissary Panda, APT27), PassCV, Casper (Lead), and the original WINNTI APT group. The fifth group dubbed WLNXSPLINTER by the researchers is a Linux splinter cell group.
While the threat actors had in the past different mission objectives Blackberry said it had observed collaboration, most significantly, they share the same Linux malware and infrastructure, including backdoors, remote access trojans, and implants for conducting various malicious activities.
The emphasis on Linux in the report is due to the fact that a significant amount of important servers on the Internet run the open-source operating system.
“Most large organizations rely on Linux to run websites, proxy network traffic and store valuable data. While Linux may not have the visibility that other front-office operating systems have, it is arguably the most critical where the security of critical networks is concerned. Linux runs nearly all of the top 1 million websites, 75% of all web servers, 98% of the world’s supercomputers and 75% of major cloud service providers,” the researchers pointed out.
In addition to attacking Linux servers, the threat actors also have targeted back-end Windows systems and Android devices. The researchers have found two new samples of Android malware, with one of the samples closely resembling the code in a commercially available penetration testing tool. However, Blackberry said, this malware sample has been created nearly two years before the commercial tool became available for purchase.
“This research paints a picture of an espionage effort targeting the very backbone of large organizations’ network infrastructure that is more systemic than has been previously acknowledged. This research opens another chapter in the Chinese IP theft story, providing us with new lessons to learn,” the researchers said.