BlackBerry uncovers China-backed hacking campaign
TORONTO — BlackBerry Ltd. says its researchers have uncovered how China-backed hackers have been
able to extract data from many of the world’s servers for a decade — largely without being noticed by cyber security.
It says the tactics give the hackers the ability to extract information from huge amounts of valuable data from
computers using the Linux operating system, which is used on most of the world’s web servers and cloud servers.
A 44-page report published by BlackBerry says that five separate groups
with links to the Chinese government have been using certain tactics and methods to target Linux systems for a decade.
“We’re not suggesting that this is something entirely new and entirely stand-alone, and undiscovered,”
BlackBerry executive Eric Cornelius said in a phone interview Tuesday.
But, he said, BlackBerry asserts that the security industry has missed a
major component of tactics used by a well-established hacker umbrella group
known as WINNIT, which the company says works with China’s government.
“As an industry, we’ve tended to focus too much on Windows-based devices
because they make up the lion’s share of the devices out there,” Cornelius said.
“But the adversaries are determined and dedicated and . . . they find any
opportunity and, in this case, we’ve called out some really novel techniques
they’ve used against Linux and even the Android operating system to accomplish their goals.”
Cornelius said the point of these China-backed hacking campaigns is
to exfiltrate, or steal, information that the United States has claimed
is worth “multiple billions of dollars” in intellectual property.
“Who knows? Unless you’re an intelligence agency,
it’s impossible to substantiate,” Cornelius said.
“It’s impossible to quantify (the value).”
However, BlackBerry’s report says,
Linux dominates the back-end infrastructure of large modern data centers.
“Linux runs the stock exchanges in New York, London and Tokyo,
and nearly all the big tech and e-commerce giants are dependent on it,
including the likes of Google, Yahoo, and Amazon,” it says.
As for the impact on Canadian governments and businesses,
Cornelius said, he wasn’t aware of any claims of that sort
because it’s not his area of expertise.
The federal government’s Canadian Centre for Cyber Security
said in an email to The Canadian Press that it works with partners
to monitor and deal with potential threats but it doesn’t comment on specific incidents.
BlackBerry’s report says that one tactic is to disguise a hacker’s tools
as advertising software, which is undesirable but not considered a high priority.
Cornelius said the WINNIT hacking group was able to steal certificates
that prove a products’ authenticity, and use the certificates to pretend to be
adware rather than more serious attack software that’s flagged for immediate attention.
“A really, really good idea,” said Cornelius, who is BlackBerry’s chief product architect,
a position he previously held at Cylance before it was acquired by the Waterloo, Ont.-based company.
Microsoft and Google, which makes the Android operating system, didn’t immediately comment on the BlackBerry report.
This report by The Canadian Press was first published April 7, 2020.