Government agencies are well aware of the wide variety of cyber threats that impact their organizations. From insider threats to bad actors, agencies across the government are bolstering their cyber posture to prevent these threats. However, one threat has been a persistent but overlooked issue for agencies – the attack of the system that keeps them running – Linux.
According to the Linux Foundation, Linux runs nearly all the top 1 million websites, 75 percent of all web servers, 98 percent of supercomputers, and 75 percent of major cloud providers. Linux is used by the Department of Defense, Federal Aviation Administration, and the USPS. The recently released report by Blackberry Cylance titled Decade of the RATs: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android, explores how bad actors, specifically China-backed hackers, are targeting valuable information through these systems.
“Partnership is the…key. We have to partner with those around us in order to get a full view,” said David Tillman, IT Security and Risk Executive at the National Credit Union Administration at RSA Public Sector Day.
“Linux is not typically user-facing, and most security companies focus their engineering and marketing attention on products designed for the front office instead of the server rack, so coverage for Linux is sparse,” said Eric Cornelius, Chief Product Architect at BlackBerry. “These APT groups have zeroed in on that gap in security and leveraged it for their strategic advantage to steal intellectual property from targeted sectors for years without anyone noticing.”
The report examines how Advanced Persistent Threat (APT) groups acting in the interests of the Chinese government have targeted these servers for almost a decade without being realized. This espionage is the focus of over 1,000 open investigations by the FBI and a priority for the Department of Justice. These APT groups are comprised of civilian contractors who share information and tools with the Chinese government. The report found that malware was one of the main tactics used by these APTs and this malware is using code-signing certificates for adware to increase the infection rate and steal even more data.
The report also explores the use of cloud service providers for command-and-control which appears as trusted traffic on the network. With the current work-from-home mandates, these cross-platform attacks are concerning. The COVID-19 outbreak has removed onsite personnel that maintain security and increased the use of systems that these bad actors target. As data moves from networks and systems, these APTs have continued to share tools and create new tactics to steal valuable data from our government organizations while being undetected.
“This research paints a picture of an espionage effort targeting the very backbone of large organizations’ network infrastructure that is more systemic than has been previously acknowledged,” says John McClurg, Chief Information Security Officer at BlackBerry. “This report opens another chapter in the Chinese IP theft story, providing us with new lessons to learn.”
Download the report to learn more about these cyber threats.