In a recent report by BlackBerry Ltd., the intelligent security software and services discovered five related APT (Advanced Persistent Threat) groups that target companies using Linux servers and Windows OS and individuals using devices running on Android for 10 years.

“This report opens another chapter in the Chinese IP theft story, providing us with new lessons to learn.”

The report titled “Decade of the RATs: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android” provides further insight into pervasive economic espionage operations targeting intellectual property. The APT groups showed signs of a uniformed strategy, according to the report, that while it targets broad options, the victims are all onboard the Linux platforms.

BlackBerry said in its report that the APT groups examined “are likely comprised of civilian contractors working in the interest of the Chinese government who readily share tools, techniques, infrastructure, and targeting information with one another and their government counterparts.”

Have you read “Report: Threat actors weaponizing hyper-connectivity with new strategies“?

Linux is one of the most popular and used systems wherein 98% of the world’s supercomputers run on the system. As remote work setup has been ongoing in the past few months in certain countries, cybercriminals have been targeting cloud-based systems and 75% of major cloud service providers are using Linux. Nearly all of the top one million websites online and 75% of all web servers are also using the server.

“This research paints a picture of an espionage effort targeting the very backbone of large organizations’ network infrastructure that is more systemic than has been previously acknowledged,” says John McClurg, chief information security officer at BlackBerry. “This report opens another chapter in the Chinese IP theft story, providing us with new lessons to learn.”

The research also highlights a shift by attackers towards the use of cloud service providers for command-and-control (C2) and data exfiltration communications which appear to be trusted network traffic.

Linux server rack

“Linux is not typically user-facing, and most security companies focus their engineering and marketing attention on products designed for the front office instead of the server rack, so coverage for Linux is sparse,” said Eric Cornelius, chief product architect at BlackBerry. “These APT groups have zeroed in on that gap in security and leveraged it for their strategic advantage to steal intellectual property from targeted sectors for years without anyone noticing.”

Since the workforce in remote setup utilizes multiple platforms, cybercriminals saw it as an opportunity to launch cross-platform attacks. Individual workers working from home may have unsecured devices and corporate data may be available in a public cloud for easier collaboration. These openings are now becoming a playground for cybercriminals.

Android malware

The BlackBerry report examines how APTs have leveraged the “always-on, always available” nature of Linux servers to establish a “beachhead for operations” across a wide swath of targets.

The researchers found two Android malware in combination with traditional desktop malware in ongoing cross-platform surveillance and espionage campaigns. These malware samples use code-signing certificates for the adware that increases infection rates.

“One of the Android malware samples very closely resembles the code in a commercially available penetration testing tool, yet the malware is shown to have been created nearly two years before the commercial tool was first made available for purchase,” the report stated.