Security companies have historically focused on espionage incidents related to Windows systems. This has led to them overlooking similar threats on Linux platforms, even though attacks on Linux servers are increasing with each passing day.
As valuable data in sectors such as scientific research, technology and education are often hosted on Linux systems, heightened security measures to safeguard them is becoming a critical need.
Researchers at QiAnXin Threat Intelligence Center have been monitoring Linux server attacks by unknown threat groups in a campaign called “Operation Veles.” Of these, groups like UTG-Q-008 and UTG-Q-009 have caused significant damage, the researchers said.
Threat Group Successfully Targets Linux Systems
UTG-Q-008 specifically targets Linux systems using a vast botnet network for espionage in the research and education sectors. This group displays remarkable strength and endurance, with active domain names for more than ten years and sophisticated attack methods.
The targets of UTG-Q-008 include over 5,000 network segments totaling more than 17 million IP addresses, mainly from the CN CER (China Education and Research) network. They also focus on advanced biological genetics and RNA immunotherapy research in China and the United States.
UTG-Q-008 has access to abundant network resources, using new servers for each operation to execute attacks in a four-hour window beginning at midnight. These attacks involve short-lived shells, making traditional indicators of compromise ineffective.
The group uses distributed SYN scans to identify open ports and conducts brute-force attempts to crack root passwords of various servers, including research servers, with minimal detection.
Many organizations have moved away from using default SSH ports on their Linux servers situated at the network perimeter. As a result, the initial action by UTG-Q-008 involves leveraging the extensive network capabilities of botnets for executing distributed SYN scans. The researchers further detailed that they measured the frequency of SYN scans per individual IP address, estimating an average of 25-35 scans per second.
Emergence of Botnets in Linux Server Domains
The botnet resources are concentrated in China and the United States and include web servers, monitoring systems, and botnet nodes like Perlbot and Mirai, utilized for reconnaissance, brute-forcing, vulnerability exploitation, and Trojan delivery.
The involvement of botnets in espionage activities is not uncommon, the researchers said, but the extent of their participation that matters. For example, in 2024, the Moobot botnet provided network proxies to APT28 for spear-phishing email delivery. In 2019, Lazarus utilized the TrickBot botnet to distribute exclusive malware for attack activities.
However, based on a-year-long analysis of UTG-Q-008, researchers believe that the botnet behind this threat group is directly involved in espionage activities, based on its technical capabilities.
Linux Threat Group Achieves ‘Impressive Results’
In their long-term engagement, researchers for the first time observed targeted attacks in which a direct involvement of a botnet was seen for espionage. The scale and quality of the affected entities has been impressive. In previous APT cases, achieving such “impressive results” in the Linux server domain would not be possible without a few 0-day vulnerabilities, the researchers said.
UTG-Q-008’s tools are stored on springboard servers in tar format, with the primary payload being Nanobot, similar to Perlbot. The group employs internal network scanners and lateral movement tools to compromise servers within internal networks.
UTG-Q-008 deploys espionage plugins to collect sensitive data and installs “xmrig” cryptocurrency mining on compromised servers to conceal their activities after gaining initial access. The group operates primarily during standard working hours but has also been observed engaging in late-night activities possibly located in Eastern Europe.
While UTG-Q-006 targets Windows devices, there is some overlap in operations and shared activity with UTG-Q-008, but the exact relationship between the groups is unclear.
The emergence of UTG-Q-008 as a sophisticated threat that targets Linux-based systems shows the importance of enhancing security measures to protect critical research and development sectors from espionage activities. Strengthening defenses against such threats is essential to safeguard national technological advancements.