Security companies have historically focused on espionage incidents related to Windows systems. This has led to them overlooking similar threats on Linux platforms, even though attacks on Linux servers are increasing with each passing day. As valuable data in sectors such as scientific research, technology and education are often hosted on Linux systems, heightened security measures to safeguard them is becoming a critical need. Researchers at QiAnXin Threat Intelligence Center have been monitoring Linux server attacks by unknown threat groups in a campaign called "Operation Veles." Of these, groups like UTG-Q-008 and UTG-Q-009 have caused significant damage, the researchers said.

Threat Group Successfully Targets Linux Systems

UTG-Q-008 specifically targets Linux systems using a vast botnet network for espionage in the research and education sectors. This group displays remarkable strength and endurance, with active domain names for more than ten years and sophisticated attack methods. The targets of UTG-Q-008 include over 5,000 network segments totaling more than 17 million IP addresses, mainly from the CN CER (China Education and Research) network. They also focus on advanced biological genetics and RNA immunotherapy research in China and the United States. UTG-Q-008 has access to abundant network resources, using new servers for each operation to execute attacks in a four-hour window beginning at midnight. These attacks involve short-lived shells, making traditional indicators of compromise ineffective. The group uses distributed SYN scans to identify open ports and conducts brute-force attempts to crack root passwords of various servers, including research servers, with minimal detection. Many organizations have moved away from using default SSH ports on their Linux servers situated at the network perimeter. As a result, the initial action by UTG-Q-008 involves leveraging the extensive network capabilities of botnets for executing distributed SYN scans. The researchers further detailed that they measured the frequency of SYN scans per individual IP address, estimating an average of 25-35 scans per second.

Emergence of Botnets in Linux Server Domains

The botnet resources are concentrated in China and the United States and include web servers, monitoring systems, and botnet nodes like Perlbot and Mirai, utilized for reconnaissance, brute-forcing, vulnerability exploitation, and Trojan delivery. The involvement of botnets in espionage activities is not uncommon, the researchers said, but the extent of their participation that matters. For example, in 2024, the Moobot botnet provided network proxies to APT28 for spear-phishing email delivery. In 2019, Lazarus utilized the TrickBot botnet to distribute exclusive malware for attack activities. However, based on a-year-long analysis of UTG-Q-008, researchers believe that the botnet behind this threat group is directly involved in espionage activities, based on its technical capabilities.

Linux Threat Group Achieves 'Impressive Results'

In their long-term engagement, researchers for the first time observed targeted attacks in which a direct involvement of a botnet was seen for espionage. The scale and quality of the affected entities has been impressive. In previous APT cases, achieving such "impressive results" in the Linux server domain would not be possible without a few 0-day vulnerabilities, the researchers said. UTG-Q-008's tools are stored on springboard servers in tar format, with the primary payload being Nanobot, similar to Perlbot. The group employs internal network scanners and lateral movement tools to compromise servers within internal networks. UTG-Q-008 deploys espionage plugins to collect sensitive data and installs "xmrig" cryptocurrency mining on compromised servers to conceal their activities after gaining initial access. The group operates primarily during standard working hours but has also been observed engaging in late-night activities possibly located in Eastern Europe. While UTG-Q-006 targets Windows devices, there is some overlap in operations and shared activity with UTG-Q-008, but the exact relationship between the groups is unclear. The emergence of UTG-Q-008 as a sophisticated threat that targets Linux-based systems shows the importance of enhancing security measures to protect critical research and development sectors from espionage activities. Strengthening defenses against such threats is essential to safeguard national technological advancements.

China is increasingly targeting Canadian citizens and organizations through the scale and scope of its cyber operations, warned the Canadian Centre for Cyber Security (Cyber Centre) in a cyber threat bulletin issued Monday. The Cyber Centre said China's cyber operations surpass other nation-state cyber threats in terms of volume, sophistication, and breadth of targeting. China's cyber threat actors have targeted a wide range of sectors in Canada, including all levels of government, critical infrastructure, and the Canadian research and development sector.

“The threat from China [to Canadian organizations] is very likely the most significant by volume, capability, and assessed intent. China-sponsored cyber threat actors will very likely continue targeting industries and technologies in Canada that contribute to the state’s strategic priorities.”

China Increasingly Targeting Canadians through Cyberespionage

Chinese cyber threat actors often operate under the directives of PRC intelligence services, targeting information that aligns with the national policy objectives of Beijing. This includes economic and diplomatic intelligence relevant to the PRC-Canada bilateral relationship and technologies prioritized in PRC's central planning, Canada said. Government of Canada networks have been compromised multiple times by Chinese actors, the Cyber Centre said. With all known compromises addressed, Chinese cyber threat actors still frequently conduct reconnaissance against federal networks, and other government organizations should be aware of the espionage risk. Last month, British Columbia, the westernmost province in Canada, reported facing multiple “sophisticated cybersecurity incidents” on government networks. Public Safety Minister and Solicitor General Mike Farnworth later told reporters that an unnamed state actor made three attempts to breach B.C. government networks. Chinese threat actors also target large datasets containing personal information for bulk data analysis and profiling, the Cyber Centre warned. Online services often collect personal information from their users to function. When personal information is exposed through data breaches or willingly released by the user, it can be used by cyber threat actors to facilitate identity theft or targeted fraud against the user. Cyber threat actors can collect financial details and social information, information on habits, health, and home security, and location and travel data. The targets include:

• Government entities at all levels, including federal, provincial, territorial, municipal, and Indigenous.
• Organizations or individuals in close partnership with government entities.
• Universities, labs, and technology companies involved in research and development of PRC-prioritized technologies.
• Individuals or organizations perceived as threats by the PRC, especially those advocating for Taiwan and Hong Kong independence and Chinese democracy.

[caption id="attachment_74511" align="aligncenter" width="1024"] Source: Canadian National Threat Assessment Report 2023-24[/caption]

Elections, Critical Infrastructure Targeted

Canada recently revealed unsuccessful Chinese attempts to interfere in past elections too. Beijing has refuted these allegations but the Canadian Security Intelligence Service (CSIS) in an annual report warned of ongoing Chinese interference in Canadian political affairs, risking democratic integrity.

“Canada’s strong democratic institutions, advanced economy, innovative research sectors, and leading academic institutions make Canada an attractive target for cyber-enabled espionage, sabotage, and foreign influenced activities, all of which pose significant threats to Canada’s national security,” the report said.

The report identified China as a state-based threat conducting widespread cyberespionage across various sectors, including government, academia, private industry, and civil society organizations. The Cyber Centre also shares concerns with the U.S. about PRC cyber threat groups pre-positioning network access for potential attacks on North American critical infrastructure in case of conflict in the Indo-Pacific.

"The Cyber Centre assesses that the direct threat to Canada’s critical infrastructure from PRC state-sponsored actors is likely lower than that to U.S. infrastructure, but should U.S. infrastructure be disrupted, Canada would likely be affected as well due to interoperability and interdependence in the sectors of greatest concern."

Sectors of greatest concern include energy, telecommunications, and transportation. However, the prelude to the attacks on the provincial government networks also saw the targeting of the healthcare sector in the country, which makes it a cause of concern too. The first of the attacks in this sector was on the retail and pharmacy chain London Drugs, followed by a cyberattack on the First Nations Health Authority (FNHA), which compromised its employee information and limited personal data.

Threat Tactics Detailed

PRC cyber threat actors are known for several sophisticated techniques, the report said:

• Co-opting compromised small office and home office (SOHO) routers to conduct activity and avoid detection.
• Using built-in network administration tools for malicious activity, blending into normal system traffic.
• Compromising trusted service providers to access client information or networks.
• Rapidly weaponizing and proliferating exploits for newly revealed vulnerabilities, posing a continuous risk.

Mitigating the Chinese Threat

The Cyber Centre advises the Canadian cybersecurity community, especially provincial, territorial, and municipal governments, to enhance their awareness and protection against PRC cyber threats. Recommended measures include:

1. Isolate Critical Infrastructure: Isolate critical components and services from the Internet and internal networks and test manual controls for operational continuity.
2. Increase Vigilance: Monitor networks for tactics, techniques, and procedures (TTPs) reported by the Cyber Centre and partners. Focus on identifying and assessing unusual network behavior.
3. Restrict Movement: Pay attention to vulnerable entry points, such as third-party systems. Disable remote access from third-party systems during incidents.
4. Enhance Security Posture: Patch systems focusing on vulnerabilities identified by the U.S. Cybersecurity and Infrastructure Security Agency. Enable logging, deploy network and endpoint monitoring, and implement multi-factor authentication. Create and test offline backups.
5. Incident Response Plan: Have a cyber incident response plan and continuity of operations and communications plans ready and tested.

By adopting these measures, organizations can better defend against and mitigate PRC cyber threats, the report said.

New paper: “Zero Progress on Zero Days: How the Last Ten Years Created the Modern Spyware Market“:

Abstract: Spyware makes surveillance simple. The last ten years have seen a global market emerge for ready-made software that lets governments surveil their citizens and foreign adversaries alike and to do so more easily than when such work required tradecraft. The last ten years have also been marked by stark failures to control spyware and its precursors and components. This Article accounts for and critiques these failures, providing a socio-technical history since 2014, particularly focusing on the conversation about trade in zero-day vulnerabilities and exploits. Second, this Article applies lessons from these failures to guide regulatory efforts going forward. While recognizing that controlling this trade is difficult, I argue countries should focus on building and strengthening multilateral coalitions of the willing, rather than on strong-arming existing multilateral institutions into working on the problem. Individually, countries should focus on export controls and other sanctions that target specific bad actors, rather than focusing on restricting particular technologies. Last, I continue to call for transparency as a key part of oversight of domestic governments’ use of spyware and related components.