A group of hackers operating as an offshoot of China's Winnti group managed to stay undetected for more than a decade by going open source.
A report from BlackBerry outlines how the group, actually a collection of five smaller crews of hackers thought to be state-sponsored, assembled in the wake of Winnti and exploited Linux servers, plus the occasional Windows Server box and mobile device, for years.
"The APT groups examined in this report have traditionally pursued different objectives and focused on a wide array of targets," BlackBerry noted.
China's Winnti hackers (apparently): Forget the money, let's get political and start targeting Hong Kong students for protest infoREAD MORE
"However, it was observed that there is a significant degree of coordination between these groups, particularly where targeting of Linux platforms is concerned, and it is assessed that any organization with a large Linux distribution should not assume they are outside of the target sets for any of these groups."
First chronicled by researchers back in 2013, the Winnti hacking operation is thought to date back as far as 2009. These groups, described by BlackBerry as "offshoots" of that hacking outfit, have been around for nearly as long and use similar tactics.
Part of the reason the attack has gone unnoticed for so long, BlackBerry reckons, is due to their preference for Linux servers. It is believed the hackers use three different backdoors, two rootkits, and two other build tools that can be used to construct additional rootkits on a per-target basis for open-source servers.
This in addition to the command-and-control tools and what is described as a "massive botnet" of compromised Linux servers and devices. Some of the malware has been in use dating back to 2012.
"In the attacks BlackBerry observed, the open Linux platform has enabled Chinese actors to develop backdoors, kernel rootkits, and online-build environments at a high level of complexity and specificity, with the end result being a toolset specifically designed to be harder to detect," the report noted.
"Compounding low detection rates inherent in the malware design is the relative lack of coverage quality and features in malware detection solutions for Linux available on the market today."
Going after Linux servers also has the added benefit of yielding massive caches of data when an attack is successful.
"The fact that this new Linux malware toolset has been in the wild for the better part of the last decade," said BlackBerry, "without having been detected and publicly documented prior to this report, makes it highly probable that the number of impacted organizations is significant and the duration of the infections lengthy." ®