Cyber attackers are actively targeting Linux-based workstations and servers according to a report by cybersecurity firm Kaspersky.

Advanced persistent threat (APT) groups are targeting Linux systems within organisations.

“Many organisations choose Linux for strategically important servers and systems, not least because this operating system is thought to be safer and less prone to cyber threats than the far more popular Windows operating system,” Kaspersky said in its report.

“While this is the case for mass malware attacks, it is not so clear cut when it comes to advanced persistent threats (APTs). Furthermore, Kaspersky researchers have identified a trend where more and more threat actors are executing targeted attacks against Linux-based devices while developing more Linux-focused tools,” it said.

According to the firm’s report, over a dozen APT groups are attacking Linux-based systems in targeted attacks. These groups include Barium, Sofacy, the Lamberts, and Equation along with recent campaigns such as LightSpy by TwoSail Junk and WellMess.

Malware including webshells, backdoors, rootkits and custom-made exploits exist for Linux-based systems as well owing to its popularity among enterprise organizations.

Researchers cited examples of Russian-speaking group Turla and Korean-speaking group Lazarus. Turla had created a modified Penguin_x64 Linux backdoor which had infected dozens of servers in Europe and the US in July 2020.

Lazarus, as part of its ‘Operation AppleJeus’ and ‘TangoDaiwbo’ campaigns used a multi-platform framework called MATA in June 2020 for financial and espionage attacks.

“The trend of enhancing APT toolsets was identified by our experts many times in the past, and Linux-focused tools are no exception. Aiming to secure their systems, IT and security departments are using Linux more often than before. Threat actors are responding to this with the creation of sophisticated tools that are able to penetrate such systems. We advise cybersecurity experts to take this trend into account and implement additional measures to protect their servers and workstations,” said Yury Namestnikov, head of Kaspersky’s Global Research and Analysis Team (GReAT) in Russia.