Report claims Chinese state hackers have been compromising Linux servers since 2012
For the best part of the last decade, according to a new report from the BlackBerry research and intelligence team, advanced hackers working in the interests of China have been attacking Linux targets with a lot of success and little to no detection. Hardly problematical, you might think, given that the latest statistics show Linux holds 1.71% of the global desktop operating system market share compared to 77.1% for Windows. That is, until you realize that Linux powers 100% of the top 500 supercomputers and, according to the BlackBerry research, 75% of all web servers and major cloud service providers for good measure. In February, U.S. Attorney General William Barr warned of ongoing cyber-threats against business by Chinese state actors, saying that China “employs a multi prong approach engaging in cyber intrusions co-opting private sector insiders through its intelligence services.”
Decade of Chinese RATs
This new research adds to that concern, claiming that a concerted effort involving five Chinese advanced persistent threat (APT) groups has been focused on the Linux servers that “comprise the backbone of the majority of large data centers responsible for the some of the most sensitive enterprise network operations.” What the researchers found was evidence of a previously undocumented Linux malware toolset being used by these threat actors. A toolset that includes no less than two kernel-level rootkits and three backdoors. A toolset that, the researchers have confirmed, has been actively deployed since March 13, 2012. The Decade of RATs analysis by the BlackBerry researchers links this previously unidentified malware toolkit with one of the largest Linux botnets ever discovered, and concludes that it is “highly probable” that the number of impacted organizations is significant and “the duration of the infections lengthy.”
Chinese threat actor attribution
The researchers are highly confident that the five APT groups involved are made up of civilian contractors working in the interest of the Chinese government. That involvement, however, can be plausibly denied by the government, the report suggests, as tools, techniques and attack infrastructure are shared with few bureaucratic or legal hurdles. The groups are best described as using WINNTI, one of the original Chinese APT groups that is thought to have long-since disbanded, tactics, techniques and procedures (TTPs.) They target, the researchers say, Red Hat Enterprise, CentOS, and Ubuntu Linux environments “systematically across a wide array of industry verticals,” for cyber espionage and intellectual property theft purposes.
Linux defensive capabilities immature at best, report claims
Linux is not, the report claims, a primary focus of security solutions and defensive coverage within Linux environments is “immature at best” with inadequately utilized endpoint protection or endpoint detection and response products. This has enabled the attackers to use those Linux servers as a “network beachhead for other operations,” according to the BlackBerry researchers. “Security products and services that support Linux, offerings that might detect and give us insight into a threat like this, are relatively lacking compared to other operating systems,” Eric Cornelius, chief product architect at BlackBerry, says, “and security research about APT use of Linux malware (that also might turn it up) is also relatively sparse.”
Is Linux mature and secure?
Joe McManus, director of security at Canonical, which publishes Ubuntu, disagrees. “I think that clearly the premise that Linux security is not mature is incorrect.” He told me, adding “Linux and, particularly Ubuntu, are incredibly secure systems but, that being said, it is their popularity that makes them a target.” McManus was not surprised that nation-state actors are attacking Linux operating systems. And Ian Thornton-Trump, a threat intelligence expert and the CISO at Cyjax, was not surprised that Chinese APT actors, which he describes as “among the best on the world,” are attacking Linux servers. “It should come as no surprise adversaries have mission capabilities across the whole range of cyber target, including Linux,” Thornton-Trump says. Explaining that some of western nations most sensitive systems run on Linux, ranging from range from secure telecommunications systems to super computers. “From an economic and mission perspective,” he concludes, “it makes sense for a threat actor to invest in opensource skills for flexibility and the ability to target the systems where the good stuff is happening.
As far as the fact that such an advanced attack toolkit could remain undiscovered for so long, Joe McManus says that “nation-state actors are particularly good at keeping their toolkits private, as unlike financially motivated actors they are less likely to resell the toolkits in use.” And, as Philip Ingram, a former Colonel in British Military Intelligence, says, “It could be the open source nature that has kept it undetected, and if state developed there will be no documentation in the public domain.”
Mitigating against the Linux APT threat
And what about mitigating against this kind of attack? “The things that need to be done to better protect Linux systems I believe,” Ingram says, “are understanding the threat and treating it as if they are at as much a threat as any other operating system, this is as much a psychological as physical approach.” A peer-reviewed OS does not mean a more secure OS, according to Ingram. “The second thing is when looking at specific elements, know your developers and know their coding, ensure the versions used are ones that specifically address security concerns and finally ensure you have the appropriate security related tools.”
“As with any operating system, a layered security approach is required,” McManus says, “from kernel, AppArmor, patching, system administration and network security. Security is priority one in Linux.” To which Thornton-Trump adds that it’s all about reducing attack surface exposure and network traffic analysis. “The vulnerable can be protected using isolation techniques,” he says, concluding “now doesn’t that sound a little familiar?”
I did reach out to Red Hat with regards to both Red Hat Enterprise and CentOS but a spokesperson said that “at this time Red Hat is unable to comment.”