BlackBerry uncovers hacker tools that it says opened data servers for a decade

BlackBerry Ltd. says its researchers have uncovered how China-backed hackers have been able to extract data from any of the world's servers for a decade largely without being noticed by cyber security.

The Waterloo, Ont.-based company says the tactics give the hackers the ability to extract information from huge amounts of valuable data from computers using the Linux operating system, which is used on most of the world's web servers and cloud servers.

A 44-page report published by BlackBerry says that five separate groups with links to the Chinese government have been using certain tactics and methods to target Linux systems for a decade.

"We're not suggesting that this is something entirely new and entirely stand-alone, and undiscovered," BlackBerry executive Eric Cornelius said in a phone interview Tuesday.

But, he said, BlackBerry asserts that the security industry has missed a major component of tactics used by a well established hacker umbrella group known as WINNIT, which the company says works with China's government.

"As an industry, we've tended to focus too much on Windows-based devices because they make up the lion's share of the devices out there," Cornelius said.

"But the adversaries are determined and dedicated and ... they find any opportunity and, in this case, we've called out some really novel techniques they've used against Linux and even the Android operating system to accomplish their goals."

'Linux runs the stock exchanges'

Cornelius said the point of these China-backed hacking campaigns is to exfiltrate, or steal, information that the United States has claimed is worth "multiple billions of dollars" in intellectual property.

"Who knows? Unless you're an intelligence agency, it's impossible to substantiate," Cornelius said. "It's impossible to quantify (the value)."

However, BlackBerry's report says, Linux dominates the back-end infrastructure of large modern data centers.

"Linux runs the stock exchanges in New York, London and Tokyo, and nearly all the big tech and e-commerce giants are dependent on it, including the likes of Google, Yahoo, and Amazon," it says.

As for the impact on Canadian governments and businesses, Cornelius said, he wasn't aware of any claims of that sort because it's not his area of expertise.

Disguised as advertising software

The federal government's Canadian Centre for Cyber Security said in an email to The Canadian Press that it works with partners to monitor and deal with potential threats but it doesn't comment on specific incidents.

BlackBerry's report says that one tactic is to disguise a hacker's tools as advertising software, which is undesirable but not considered a high priority.

Cornelius said the WINNIT hacking group was able to steal certificates that prove a products' authenticity, and use the certificates to pretend to be adware rather than more serious attack software that's flagged for immediate attention.

"A really, really good idea," said Cornelius, who is BlackBerry's chief product architect, a position he previously held at Cylance before it was acquired by the Waterloo, Ont.-based company.

Google, which makes the Android operating system, and Microsoftdidn't immediately comment on the BlackBerry report.