Hackers Have Targeted Linux Servers for Years: Report

For nearly a decade, five hacking groups with apparent links to the Chinese government have targeted vulnerable Linux servers that make up the backend IT infrastructure of thousands of companies and organizations around the world, according to a research report from BlackBerry.

Since at least 2012, these hacking groups have targeted a wide array of industries that use Linux servers within their data center operations, BlackBerry reports. The goal is to steal intellectual property and other valuable data.

See Also: Webinar | Can Medium-Sized Companies Automate Access to Critical Multi-Cloud IT Environments?

Because Linux servers support the backend operations of many large enterprises, they often store intellectual property, trade secrets and lists of employee usernames and passwords, according to the report.

Linux operating systems power about 98 percent of the world’s supercomputers, according to a 2020 study by the Linux Foundation. For organization that store data in the cloud, about 75 percent of the infrastructure is composed of Linux servers, the same study showed.

Open Source Security

The hacking group campaigns that BlackBerry describes scan the internet for vulnerable or unpatched Linux severs, including those systems that use open source operating systems from vendors such as Red Hat Enterprise, CentOS and Ubuntu Linux, according to the report.

Once the attackers gain a foothold, they plant malware, including backdoors and kernel rootkits, which enables them to exfiltrate the data they want to steal, the report notes.

“This research paints a picture of an espionage effort targeting the very backbone of large organizations’ network infrastructure that is more systemic than has been previously acknowledged,” John McClurg, the CISO of BlackBerry, notes in the report.

The report does not identify which organizations have been targeted by this campaign.

Target: Linux

Because many Linux web servers handle large amounts of traffic each day, it’s relatively easy for attackers to hide exfiltrated data within this volume of legitimate traffic, according to the report.

And because most security firms focus their attention on Windows systems or user-facing devices such as laptops and smartphones, Linux server vulnerabilities are sometimes forgotten or overlooked, the report notes.

“Linux’s command-line interface also makes it less widely accessible, which means it is usually administered by a smaller number of skilled systems administrators,” according to the report. “In contrast, practically everyone from the corner office to the mailroom uses desktop computers running either Windows or macOS, so most security companies have focused more of their research and development on products for the front office as opposed to the server rack.”

As a result, hacking groups have repeatedly used the same methods to compromise Linux severs, the BlackBerry researchers note.

For example, the researchers discovered two, kernel-level rootkits that rendered the executables used in these attacks difficult to detect. And these toolsets appear to have been used for several years with few changes, the report notes.

“The fact that this Linux malware toolset has been in the wild for the better part of the last decade without having been detected and publicly documented prior to this report makes it highly probable that the number of impacted organizations is significant and the duration of the infections lengthy,” the Blackberry researchers report.

Five Related Groups

The BlackBerry report states that at least five hacking groups appear to have played a role in this long-running campaign. The researchers, however, note that these groups all appear to be related to an umbrella organization called the Winnti Group.

According to a 2018 report by security firm ProtectWise, the Winnti Group, which also goes by the names PassCV, APT17, Axiom, LEAD, Barium, Wicked Panda and GREF, has ties to Chinese intelligence and is known to use code-signing certificates to target organizations with the goal of stealing data or spying on individuals (see: Report: Chinese Actors Steal Code-Signing Certificates).

Blackberry says the five hacking groups described in the report comprise civilian contractors who apparently are working in the interest of the Chinese government. These hacking groups share their tools, techniques, infrastructure and targeting information with each other as well as their government counterparts, according to the report.

Over the last several months, the U.S. government has attempted to shine more light on the hacking activities – including the theft of intellectual property – of groups tied to the Chinese government.

In February, the U.S. Department of Justice indicted four members of China’s People’s Liberation Army for allegedly hacking Equifax in 2017 and stealing the personal data of over 145 million Americans as well as a vast trove of the company’s trade secrets and intellectual property (see: 4 in Chinese Army Charged With Breaching Equifax ).