China Hacker’s Stole World’s Sensitive Data For 10 Years

At this time , it is not wrong to say the China as the king of the world establishing attacking with its new weapons whether it is bioweapon or the cyber weapon. The country is currently one of the most powerful, either we take it financially or economically. The China alone has not only exploited the lives of the people but also the trust which is the base of humanity. But China wants more. What is more greater than a human’s life for China? What else China wants now? Researchers from Blackberry have recently come across a very old campaign run by the Chinese hacktivists which is unfortunately no more hidden from the world now, as per the report. The researchers unveiled the techniques adopted by the Chinese state sponsored hackers which they are using for more than a decade to steal data from the computers around the globe which are using Linux as Linux runs the stock exchanges in New York, London and Tokyo, and nearly all the big tech and e-commerce giants are dependent on it, including the likes of Google,Yahoo, and Amazon. Most U.S. government agencies and the Department of Defense also rely heavily on the Linux operating system, and it runs virtually all of the top one million websites and 75% of all web servers (Netcraft, 2019). Linux powers 98% of the world’s most advanced supercomputers, and most organization stores data in the cloud almost all having Linux in the backend .

STRATEGIES USED BY THE ATTACKERS

Researchers have identified five APT groups namely WINNTI GROUP, PASSCV, BRONZE UNION, CASPER (LEAD) and newly discovered while researching the WLNXSPLINTER which on a union forms a collective group known as “splinter cell“. The five groups listed here are financially supported and motivated by the Chinese Government who have almost tried almost all flavors of linux across many renowned industrial organizations for the purpose of espionage and intellectual property theft. The APT groups are caught to use WINNTI-style tooling that is specifically designed to aim at Linux servers as they always have a nature “always on , always available “ The WINNTI toolset includes :

  • Three unique and variant functioning backdoors namely :

           PWNLNX1

           PWNLNX2

           PWNLNX3

  • Two rootkits which comes with backdoors namely :

      PWNLNX4

     PWNLNX6

  • An installer script to compile , download and install the malware : LANCER
  • A Control Panel used by to run the command-and-control (C2C) infrastructure and issue commands to the rest of the malware suite .

PWNLNX5

Besides these tools the APT hacktivists are seen to deliver malware in the same way as XOR DDoS Botnets which  have been used to attack video game companies in Asia .

The APT groups uses a unique technique to install malware in the victim’s network . What they do is , they have stolen signed malware certificates from video game companies and  signing malware certificates stolen from adware vendors , so in order to bypass the end user’s trust or to bypass the security on the end user’s system , they used the adware signatures (which are considered as trusted sources by the network defenders ) to remain undetected .

Researchers identified Linux malware executables defined the term ELF, which stands for Executable and Linkable Format. Unlike their Windows counterparts (called PEs or Portable Executables), ELFs do not possess a compiler time/date stamp, which makes it difficult to detect exactly when Linux samples were created.

The combination of poor security solution on the end of  Linux and highly tailored, complex malware developed by the spinter cell has resulted in a suite of affecting tools that has largely gone undetected for years , on an average for a decade .

If we compare the volume of malware directed at Windows and MacOS operating systems, Linux malware is observed and written about much less often. This is the reason of relatively low rate of detection and relatively low frequency of being encountered in auditing in organizations

CONCLUSION

The Chinese threat actors believe to have targeted nearly all sectors of industries . In recent times, they are also believed  to deliver malware in mobile malware in combination with traditional desktop malware in ongoing cross-platform surveillance and espionage campaigns. In the coming times, China seems to rely on its espionage actors to spread its sovereign and remain one of the most powerful countries all over the world and in order to acquire financial assets, grow its economic market.