Skip to content

BlackBerry uncovers hacker tools that it says opened data servers for a decade


TORONTO — BlackBerry Ltd. says its researchers have uncovered how China-backed hackers have been able to extract data from many of the world's servers for a decade — largely without being noticed by cyber security.

It says the tactics give the hackers the ability to extract information from huge amounts of valuable data from computers using the Linux operating system, which is used on most of the world's web servers and cloud servers.

A 44-page report published by BlackBerry says that five separate groups with links to the Chinese government have been using certain tactics and methods to target Linux systems for a decade.

"We're not suggesting that this is something entirely new and entirely stand-alone, and undiscovered," BlackBerry executive Eric Cornelius said in a phone interview Tuesday.

But, he said, BlackBerry asserts that the security industry has missed a major component of tactics used by a well-established hacker umbrella group known as WINNIT, which the company says works with China's government.

"As an industry, we've tended to focus too much on Windows-based devices because they make up the lion's share of the devices out there," Cornelius said.

"But the adversaries are determined and dedicated and . . . they find any opportunity and, in this case, we've called out some really novel techniques they've used against Linux and even the Android operating system to accomplish their goals."

Cornelius said the point of these China-backed hacking campaigns is to exfiltrate, or steal, information that the United States has claimed is worth "multiple billions of dollars" in intellectual property.

"Who knows? Unless you're an intelligence agency, it's impossible to substantiate," Cornelius said. "It's impossible to quantify (the value)."

However, BlackBerry's report says, Linux dominates the back-end infrastructure of large modern data centers.

"Linux runs the stock exchanges in New York, London and Tokyo, and nearly all the big tech and e-commerce giants are dependent on it, including the likes of Google, Yahoo, and Amazon," it says. 

As for the impact on Canadian governments and businesses, Cornelius said, he wasn't aware of any claims of that sort because it's not his area of expertise.

The federal government's Canadian Centre for Cyber Security said in an email to The Canadian Press that it works with partners to monitor and deal with potential threats but it doesn't comment on specific incidents.  

BlackBerry's report says that one tactic is to disguise a hacker's tools as advertising software, which is undesirable but not considered a high priority.

Cornelius said the WINNIT hacking group was able to steal certificates that prove a products' authenticity, and use the certificates to pretend to be adware rather than more serious attack software that's flagged for immediate attention.

"A really, really good idea," said Cornelius, who is BlackBerry's chief product architect, a position he previously held at Cylance before it was acquired by the Waterloo, Ont.-based company. 

Microsoft and Google, which makes the Android operating system, didn't immediately comment on the BlackBerry report.

This report by The Canadian Press was first published April 7, 2020.

Companies in this story: (TSX:BB)

David Paddon, The Canadian Press

Looking for National Business News? viewed on a mobile phone

Check out Village Report - the news that matters most to Canada, updated throughout the day.  Or, subscribe to Village Report's free daily newsletter: a compilation of the news you need to know, sent to your inbox at 6AM.