For most of the past decade, according to a new report from the BlackBerry Research and Intelligence Team, advanced hackers working in the interests of China have attacked Linux targets with great success and little to no detection. You would think that is not really problematic, given that the latest statistics show that Linux holds 1.71% of the global desktop operating system market versus 77.1% for Windows. This is until you realize that Linux powers 100% of the first 500 supercomputers and, according to BlackBerry research, 75% of all web servers and major cloud service providers for good measure. In February, the United States’ Attorney General, William Barr, warned of cyber threats against the businesses of Chinese state actors, saying that China “uses a multi-pronged approach to engage in cyber-intrusions by co-opting private sector insiders through its intelligence services ”.
Decade of Chinese RAT
This new research adds to this concern, claiming that a concerted effort involving five Chinese Advanced Persistent Threat Groups (APTs) has been focused on Linux servers which “form the backbone of the majority of large data centers responsible for the most sensitive corporate network operations. What the researchers discovered was evidence that an undocumented set of Linux malicious tools was being used by these threat actors. A set of tools that includes no less than two kernel-level rootkits and three backdoors. A set of tools which, according to the researchers, has been actively deployed since March 13, 2012. The analysis of the decade of RAT by BlackBerry researchers links this previously unidentified malware toolbox to the one of the largest Linux zombie networks ever discovered, and concludes that it is “highly likely” that the number of organizations affected will be large and “the duration of infections long”.
Chinese threat actor assignment
Researchers are confident that the five APT groups involved are made up of civilian contractors working for the benefit of the Chinese government. This involvement, however, can be plausibly refused by the government, according to the report, as the tools, techniques and infrastructure for attack are shared with few bureaucratic or legal obstacles. The groups are best described as using WINNTI, one of the first Chinese APT groups believed to have long since disbanded, Tactical, Technical and Procedures (TTP). They target, according to the researchers, Red Hat Enterprise, CentOS and Ubuntu Linux environments “systematically in a wide range of vertical markets”, for cyber espionage and theft of intellectual property.
At best immature Linux defensive capabilities, claims
According to report, Linux is not a primary goal of security solutions and defensive coverage in Linux environments is “at best immature” with endpoint protection or endpoint detection and response products end misused. This allowed attackers to use these Linux servers as “network bridgeheads for other operations,” according to BlackBerry researchers. “The security products and services that support Linux, the offerings that could detect and give us insight into a threat like this, are relatively lacking compared to other operating systems,” said architect Eric Cornelius, BlackBerry chief product officer, “and security research regarding APT’s use of Linux malware (which could also bring it up) is also relatively rare. “
Is Linux mature and secure?
Joe McManus, director of security at Canonical, which publishes Ubuntu, disagrees. “I think the premise that Linux security is not mature is incorrect.” He told me, adding, “Linux, and especially Ubuntu, are incredibly secure systems, but, having said that, it’s their popularity that makes them a target. McManus was not surprised that players from nation states attack Linux operating systems. And Ian Thornton-Trump, a Cyjax threat intelligence and RSSI expert, was not surprised that Chinese APT actors, whom he describes as “among the best in the world,” attack servers Linux. “This should not be surprising, since adversaries have mission capabilities across the range of cyber targets, including Linux,” said Thornton-Trump. Explain that the most sensitive systems in some western countries run Linux, ranging from secure telecommunications systems to supercomputers. “From an economic and missionary point of view,” he concludes, “it makes sense for a threat actor to invest in open source skills for flexibility and the ability to target systems on which the right things happen produce.
Regarding the fact that such an advanced attack toolkit may remain unknown for so long, Joe McManus says that “actors in nation states are particularly good at keeping their tool kits private, because unlike actors motivated by financial reasons, they are less likely to resell the toolkits in use. And, as Philip Ingram, a former British military intelligence colonel put it, “It could be the open source nature that kept it undetected, and if the state developed, there would be no documentation in the public domain. “
Mitigation against the Linux APT threat
What about mitigation against this type of attack? “The things that need to be done to better protect Linux systems, I believe,” says Ingram, “are to understand the threat and treat it as if it were as threatened as any other operating system,” is as much a psychological problem as a physical approach. A peer-reviewed operating system does not mean a more secure operating system, according to Ingram. “The second thing is when you examine specific items, know your developers and know their coding, make sure that the versions used are the ones that specifically address security concerns, and finally make sure that you have the appropriate security tools.” “
“As with any operating system, a layered security approach is required,” says McManus, “for the kernel, AppArmor, patches, system administration, and network security. Security is a top priority on Linux. To which Thornton-Trump adds that it is about reducing attack surface exposure and analyzing network traffic. “Vulnerable people can be protected by using isolation techniques,” he said, concluding, “Don’t you think that is a bit familiar?” “
I contacted Red Hat regarding both Red Hat Enterprise and CentOS, but a spokesperson said that “at this time Red Hat is unable to comment.”