The state-backed Chinese advanced persistent threat (APT) groups are among the world’s oldest, most skilled and most active agents of cyber espionage. As respected as these groups already are as threats, a new report from BlackBerry indicates that their reach and capability may be even greater than previously thought.

The report outlines a coordinated campaign by five of these groups that dates back at least eight years. The groups have been exploiting underlooked remote access vulnerabilities in Linux servers, using these as a launch point for malware attacks against Windows systems and Android devices. In some cases, the groups have been exploiting a general lack of interest in Linux security to quietly exfiltrate data from targets for years at a time.

A systematic campaign by Chinese APT groups
The report, entitled “Decade of the RATs”, shows that five particular groups of civilian contractor hackers in China have been coordinating their efforts and sharing information in a wide-ranging cyber espionage campaign directed at industries and government agencies all over the world. The common link among targets is the ability to exploit underlooked Linux servers as a doorway to the network.

The report does not name specific compromised organizations or put out a total figure, but characterizes the amount that have been breached in this campaign as “significant.” These organizations may have been compromised for years without being aware of it.

How did this happen? Linux is the backbone of most data centers and supercomputers. But it is almost entirely a “back of the house” component, and as such these systems tend to not receive the attention that the employee- and customer-facing elements do. However, once these Linux servers are compromised it provides the groups with ample opportunity to deliver malware to Windows and Android devices throughout the network. Servers that run on Linux are a perfect target because not only are they more poorly defended, they need to be constantly up and running and rely on a relative handful of skilled specialists to maintain them. This longstanding gap in security remains because security companies focus engineering and marketing attention on the elements that see the most end user interaction.

There is no one particular Linux OS variant that is highly vulnerable; the Chinese APT groups have repeatedly targeted CentOS, Red Hat and Ubuntu environments among others.

Compromised Linux proxy servers remove the internal defenses that isolate company networks, while the web servers can be used to exfiltrate large amounts of data without raising alarms.

Once on the servers, these groups then pass remote access trojan (RAT) malware to establish a persistent presence on devices and computers inside of the target network. These groups make use of a specific piece of Android malware that allows phone calls, SMS messages, audio and GPS location to be monitored and recorded. Windows RATs used by the groups deliver rootkits that essentially allow the attacker to monitor and exfiltrate anything on the host system.

Tactics and tools
The backdrop of all of this is China’s economic strategy, which relies more on stealing intellectual property and adapting technology from other world powers than it does on innovation. Though other countries (the United States included) actively develop and use Linux malware, China bends more resources to studying the open source OS for vulnerabilities than any other.

The five Chinese APT groups involved in this campaign are collectively referred to as Winnti by the report. The original Winnti Group was first spotted around 2010, attacking online games in South Korea. Named for Symantec’s entry for their original malware, the original group remains intact but seems to have coordinated with four other Chinese APT groups for this campaign: PassCV, Bronze Union, Casper and WLNXSplinter.

A key to the group’s success has been a previously unknown set of two Linux malware toolkits that contain kernel-level rootkits that are very difficult to detect. Another signature is the use of Windows malware signed with valid security certificates that appear to belong to legitimate “adware” programs, the type that usually slip through automated security and administrator attention.

The researchers also uncovered links that indicate that the XOR.DDoS botnet, one of the largest Linux botnets ever discovered, was under control of the Chinese APT groups. This botnet went on a tear of high-bandwidth attacks in 2014 and 2015, mostly targeting video game companies based in Asia.

The Android malware, PWNDROID4 and PWNDROID5, is primarily passed as fake Adobe Flash updates. PWNDROID4 was found to be capable of recording just about any audio passing through the device, as well as passing on copies of text messages and the device’s GPS location data.

How did the threat groups stay hidden for so long?
High-level state-backed APT groups such as these are usually very tightly guarded with their tools and methods. It is very unusual for these sorts of groups to even share with each other internally at the level seen here.

Aside from the high-profile use of a large botnet in 2014 and 2015, these Chinese APT groups have also been dedicated almost entirely to low-key economic espionage. As Craig Young, computer security researcher for Tripwire’s vulnerability and exposure research team (VERT), points out: “The groups being tracked by Blackberry have clearly made targeted shifts in their tools, tactics, and procedures (TTPs) to more effectively fly under the radar. By using malware signed with adware certificates to communicate with innocuous domain names hosted on public cloud providers, any alerts generated by the APT attack campaign tend to blend into the background. By camouflaging their campaigns in this manner, the attackers are making it increasingly difficult for defenders to identify breaches without productivity-stifling security restrictions.”