BlackBerry uncovers major APT campaign

New research by BlackBerry Limited has shed light on tech-enabled economic espionage operations, which it says have been conducted in the interest of the Chinese government.

The research reveals that five related advanced persistent threat (APT) groups have been targeting Linux servers, Windows systems and mobile devices running Android, to get hold of valuable intellectual property (IP).

The report, titled Decade of the RATs: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android, provides a wealth of further insights into the illicit campaign — including new examples of Android malware and new methods of bypassing network defenders.

The new malware variants appear to be penetrating the network through the use of code-signing certificates for adware — with AV red flags often dismissed as a ‘blip’ in a constant stream of adware alerts, the report shows.

A shift to cloud service providers for command-and-control and data exfiltration is also boosting infection rates, as these appear to be trusted in the network traffic.

Attacks on IP are already a key focus of the US Department of Justice, with more than 1000 ongoing investigations in all of its 56 FBI field offices.

This concern is now heightened, given the sudden influx of remote work, in response to the COVID-19 crisis and social distancing guidelines.

Work-from-home tools are particularly vulnerable to these kind of attack campaigns. Additionally, unoccupied offices are leaving IP held in enterprise data centres (most of which run on Linux) at risk.

Linux runs nearly all of the top 1 million websites online, 75% of all web servers, 98% of the world’s supercomputers and 75% of major cloud service providers (Netcraft, 2019, Linux Foundation, 2020). Most large organisations rely on Linux to run websites, proxy network traffic and store valuable data.

The “always on always available” nature of Linux servers makes them particularly vulnerable, with attackers establishing a “beachhead for operations” across a wide range of targets, says the report.

“Linux is not typically user-facing, and most security companies focus their engineering and marketing attention on products designed for the front office instead of the server rack, so coverage for Linux is sparse,” said Eric Cornelius, Chief Product Architect at BlackBerry.

“These APT groups have zeroed in on that gap in security and leveraged it for their strategic advantage to steal intellectual property from targeted sectors for years without anyone noticing.”

John McClurg, Chief Information Security Officer at BlackBerry, added, “This research paints a picture of an espionage effort targeting the very backbone of large organisations’ network infrastructure that is more systemic than has been previously acknowledged.

“This report opens another chapter in the Chinese IP theft story, providing us with new lessons to learn.”

Image credit: ©stock.adobe.com/au/deagreez