How does this “stealthy Linux rootkit” get onto the system in the first place. Without opening a malicious email attachment or clicking on a malicious weblink.
Seems to me this is probably a later stage thing. Somebody got initial access to a company's systems via such a mechanism to some individual's system. A few more cycles of recon, exploitation, and pivoting later, they may be in a position to install something like this on some actually important server. Use it to maintain access to the things they really want, then delete evidence of the previous steps to cover their tracks.
Now that it's at least 2 years after the initial intrusion, it could be pretty tough to determine how that happened and what path the attacker took.
Today most (by volume) Linux attacks are against IoT devices that run Linux and SSH with weak/no auth.
Behind that are attacks on Linux web servers where exploits in the web application (e.g. WordPress) or the web framework (e.g. Rails) are the attack vector.
The malicious weblink can be an advertisement, or a legit webpage that got compromised/XSS'd, or a formerly legit webpage whose domain has expired. (AFAIK this is pretty common)
The email attachment may come from your friend/business partner which themselves got infected and the malware is now attaching itself to their legit emails. (AFAIK not very common)
Those methods would work. Could also be included in pirate content in a torrent or similar (this was a significant vector for windows malware in the 2010s). Some instances could also have been manually placed. Or the creator could have bought the services if a bonnet, installing the seeds on machines already backdoored and open. There are a fair few ways to get new rootkits out there, a number of them difficult to trace back to the true source.
EDIT: from the article:
The researchers have so far been unable
to determine precisely how Krasue gets
installed. Possible infection vectors
include through vulnerability
exploitation, credential-stealing or
-guessing attacks, or by unwittingly
being installed as trojan stashed in an
installation file or update
masquerading as legitimate software
Now that it's at least 2 years after the initial intrusion, it could be pretty tough to determine how that happened and what path the attacker took.