A new report from BlackBerry Ltd. reveals that there are five separate groups of hackers each of which has close ties to the Chinese government that have been stealing valuable information and intellectual property from other nations around the world.
BlackBerry Ltd. says that its researchers have uncovered how China-backed hackers have been able to extract data from many of the world’s biggest servers for over a decade—largely without being detected by cyber security.
The hacker’s tactics reportedly give the hackers the ability to extract information from massive amounts of valuable data from computers that use the Linux operating system, which is used on most of the world’s web servers and cloud servers.
A 44-page report by BlackBerry says that “Linux runs the stock exchanges in New York, London and Tokyo, and nearly all the big tech and e-commerce giants are dependent on it, including the likes of Google, Yahoo, and Amazon.”
According to The Star, BlackBerry executive Eric Cornelius “said the point of these China-backed hacking campaigns is to exfiltrate, or steal, information that the United States has claimed is worth “multiple billions of dollars” in intellectual property.”
“As an industry, we’ve tended to focus too much on Windows-based devices because they make up the lion’s share of the devices out there,” Cornelius said.
“But the adversaries are determined and dedicated and... they find any opportunity and, in this case, we’ve called out some really novel techniques they’ve used against Linux and even the Android operating system to accomplish their goals.”
Awareness of these China-backed hacker groups are nothing new. In 2016, the hacker group known as the WINNTI Umbrella breached the German software maker TeamViewer, which is the same hacker group BlackBerry said is involved with their recent findings.
Cornelius said BlackBerry had announced that the security industry has missed a major component of tactics used by a well-established hacker group known as the WINNTI Umbrella.
According to a 2018 intelligence report on the WINNTI Umbrella, there is high confidence that the Winnti umbrella is associated with the Chinese state intelligence apparatus, with at least some elements located in the Xicheng District of Beijing; a number of Chinese state intelligence operations from 2009 to 2018 that were previously unconnected publicly are in fact linked to the Winnti umbrella; the Winnti umbrella continues to operate highly successfully in 2018. Their tactics, techniques, and procedures (TTPs) remain consistent, though they experiment with new tooling and attack methodologies often.
The WINNTI Umbrella’s cyber-strategies are now largely understood by tech experts. GB Hackers reported that “the Winnti umbrella and associated groups initial infections are through phishing to gain access to the target organization. In 2018 their campaigns primarily targeted common services such as Office 365 and Gmail. With their most recent campaigns, they preferred using URL shortening service.”
“Once they gained access to an organization’s network, they used custom malware and tools like Metasploit, and used a number of techniques such as ‘living off the land’ for minimizing the attack of detection.”
“‘Living off the land’ attack describes making use of the tools that are already installed on the system or running simple scripts and shellcode directly in memory.”
A 2013 deep-dive into the inner-workings of the WINNTI Umbrella, conducted by Kaspersky, revealed how they found the location of the Chinese hackers sessions.
“We have observed a few cases of the attackers mistakenly accessing victim machines without a proxy, potentially identifying the true location of the individual running the session. In all of these cases, the netblock was 22.214.171.124/13, the China Unicom Beijing Network, Xicheng District.”
There has not been, at the time of this writing, a public announcement to investigate the illegal activity of China’s state-sponsored hacker groups by the tech security industry.