Chinese APT Groups Tied With Linux Spyware Stack

The Chinese hacker groups have all been tracked down to the Winnti supply-chain specialist group and were spotted using the same combination of Linux rootkit and backdoor.

What’s going on?

A slew of Linux backdoor malware used for cyber-espionage have been discovered to be a shared resource among five different Chinese APTs. The analysis released at the Black Hat 2020 states that the groups are components of the Winnti Group. Winnti is an infamous hacker group that focuses on spreading trojanized software.

Why Linux?

  • Research states that the Linux spyware toolset has been in the wild for at least 10 years.
  • Linux-run servers constitute a deep bank of critical infrastructure within government agencies and businesses which makes it an important target for hacker groups.
  • Apart from database and web servers, Linux is used to run VPN servers, proxy servers, stock exchange servers, and more. It is intertwined with every part of the technology infrastructure.

What about the toolset?

  • The Linux toolset consists of six different components.
  • One of the components in the toolset is the Linux XOR DDoS botnet, the largest Linux botnet.
  • The rootkit consists of two variants and works with a designated backdoor.
  • The malware was found to target Debian, Red Hat Enterprise, and CentOS.

The takeaway

Linux servers were strategically targeted and the five APT groups all lead to the Winnti group and also show evidence that link them with each other in some way or the other. All of them employed a familiar Winnti technique. The bottom line is that experts believe that this is not a single crew, but a rather well thought out and resourced intelligence collection operation.