Maksim Kabakou - Fotolia

APTs infiltrated Linux servers undetected for nearly 10 years

New BlackBerry research shows how five APT groups operating on behalf of the Chinese government infiltrated enterprise Linux environments undetected for nearly a decade.

New research from BlackBerry painted a bleak picture for Linux security.

BlackBerry on Tuesday published a report called "Decade of the RATs: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android" that showcased how five related advanced persistent threat (APT) groups connected to the Chinese government have targeted Linux, Windows and Android devices for years.

The five APT groups include a newly identified hacking outfit BlackBerry researchers call "WLNXSPLINTER"; the other four, previously identified state-sponsored groups include WINNTI Group, PASSCV, Bronze Union and Casper (the lead). Most concerningly, these groups have been infiltrating Linux servers with remote access trojans (RATs) for nearly a decade, often remaining undetected for many years, according to BlackBerry.

"This report detailed how this quintet of threat actor groups have managed to successfully infiltrate and maintain persistence on servers that comprise the backbone of the majority of large data centers using a newly identified Linux malware toolset obfuscated by a kernel-level module rootkit, all of which allows them to remain nearly undetectable on the infected systems," the report read. "The fact that this new Linux malware toolset has been in the wild for the better part of the last decade without having been detected and publicly documented prior to this report makes it highly probable that the number of impacted organizations is significant and the duration of the infections lengthy."

BlackBerry researchers determined the new Linux malware toolset was connected to a massive botnet known as XOR DDoS, which was first discovered in 2014 and targeted Linux servers.

The report says that Linux servers were likely targeted because Linux has "poor security solution coverage" and was vulnerable to complex malware. Eric Cornelius, BlackBerry's chief product architect, added that priority could also be a factor at play.

"When you look at the staff-ranked order of operations that your network security administrator has to deal with on a daily basis, putting a large number of resources on Linux machines just hasn't happened. The priority is pretty far down the list," Cornelius told SearchSecurity.

While the five APT groups were separate hacking outfits, BlackBerry said there was significant coordination between the groups, particularly when targeting Linux environments. The report also states that all five groups attacked video game companies to steal code-signing certificates; the threat actors used the certificates to sign their malware, which made the hacking tools appear as legitimate applications.

Cornelius said he sees the report not just as research about state-sponsored APTs, but a wake-up call for Linux security.

"This report is really going to be a call to arms to the people around the world to say, 'We need to put more dedicated focus on securing these Linux servers with the same level of rigor and attention that we give to the Windows and other fleets that we operate,'" Cornelius said.

Dig Deeper on Threats and vulnerabilities