Linux Security: Chinese State Hackers May Have Compromised ‘Holy Grail’ Targets Since 2012

Forbes – by Davey Winder

For the best part of the last decade, according to a new report from the BlackBerry research and intelligence team, advanced hackers working in the interests of China have been attacking Linux targets with a lot of success and little to no detection. Hardly problematical, you might think, given that the latest statistics show Linux holds 1.71% of the global desktop operating system market share compared to 77.1% for Windows. That is until you realize that Linux powers 100% of the top 500 supercomputers and, according to the BlackBerry research, 75% of all web servers and major cloud service providers for good measure. In February, U.S. Attorney General William Barr warned of ongoing cyber-threats against business by Chinese state actors, saying that China “employs a multi-prong approach engaging in cyber intrusions co-opting private sector insiders through its intelligence services.”

Decade of Chinese RATs

This new research adds to that concern, claiming that a concerted effort involving five Chinese advanced persistent threat (APT) groups has been focused on the Linux servers that “comprise the backbone of the majority of large data centers responsible for the some of the most sensitive enterprise network operations.” What the researchers found was evidence of a previously undocumented Linux malware toolset being used by these threat actors. A toolset that includes no less than two kernel-level rootkits and three backdoors. A toolset that, the researchers have confirmed, has been actively deployed since March 13, 2012. The Decade of RATs analysis by the BlackBerry researchers links this previously unidentified malware toolkit with one of the largest Linux botnets ever discovered, and concludes that it is “highly probable” that the number of impacted organizations is significant and “the duration of the infections lengthy.”

Chinese threat actor attribution

The researchers are highly confident that the five APT groups involved are made up of civilian contractors working in the interest of the Chinese government. That involvement, however, can be plausibly denied by the government, the report suggests, as tools, techniques and attack infrastructure are shared with few bureaucratic or legal hurdles. The groups are best described as using WINNTI, one of the original Chinese APT groups that is thought to have long-since disbanded, tactics, techniques and procedures (TTPs.)  They target, the researchers say, Red Hat Enterprise, CentOS, and Ubuntu Linux environments “systematically across a wide array of industry verticals,” for cyber espionage and intellectual property theft purposes.

Linux defensive capabilities immature at best, report claims

Linux is not, the report claims, a primary focus of security solutions and defensive coverage within Linux environments is “immature at best” with inadequately utilized endpoint protection or endpoint detection and response products. This has enabled the attackers to use those Linux servers as a “network beachhead for other operations,” according to the BlackBerry researchers. “Security products and services that support Linux,  offerings that might detect and give us insight into a threat like this, are relatively lacking compared to other operating systems,” Eric Cornelius, chief product architect at BlackBerry, says, “and security research about APT use of Linux malware (that also might turn it up) is also relatively sparse.”

https://www.forbes.com/sites/daveywinder/2020/04/07/linux-security-chinese-state-hackers-have-compromised-holy-grail-targets-since-2012/#301b9b652086

One thought on “Linux Security: Chinese State Hackers May Have Compromised ‘Holy Grail’ Targets Since 2012

  1. MS-DOS.., Xerox and Windows and Apple all started with Unix Base OS Kernels and still use them for their subsystems.
    Along with google Android devices…they are running Unix/Linux based tweeked code in the background. Not windows 10 OS market share graphics.
    So this article means nothing to me….except tin foil hat Chinese fear mongering to stop people taking control back of their operating systems.
    You’ll experience this if you know anything about writing code.
    My personal opinion is that people are so stupid they need windows to operate.
    The first level of security is always physical access to the device.
    AKA computer rooms etc…..no physical access.
    That is plugging it into, the physical network hardware wifi.
    To me this says 90% of you are hacked just by market share alone.
    So if your gonna put stupid sht like this up for Bill Gates then you get what you deserve.
    A bloated OS that’s copying your data to the cloud without your permission.
    I would be concerned more with the Chinese chips and hardware then the OS.
    Nay sayers……and Defeatists….even at the Operating system.
    Get the FK outta here.
    https://www.theregister.co.uk/2020/04/09/windows_10_insider_build_10x_delays/

Join the Conversation

Your email address will not be published. Required fields are marked *


*