Chinese hackers belonging to the state-backed APT41 group compromised at least six US government networks by exploiting vulnerabilities in internet-facing applications.
The vulnerabilities included a zero-day in the USAHerds application and the Log4Shell flaw in the ubiquitous Java logger Log4j, according to cyber security firm Mandiant, which was this week acquired by Google. The company responded to an APT41 intrusion targeting a US state government computer network in May 2021 and studied the group's activity until February 2022.
APT41 is a prolific Chinese state-sponsored espionage group known to for targeting organisations in both the public and private sectors and for conducting financially motivated activity for personal gain.
Although the goals of APT41’s latest campaign remain unknown, Mandiant’s investigations revealed a variety of new techniques and malware variants used by the hackers.
During the period of investigation, Mandiant found that APT41 successfully compromised at least six US state government networks through the exploitation of vulnerable internet-facing web applications, often written in ASP .NET. In most of the compromises, APT41 carried out .NET deserialization attacks, although Mandiant also observed the group exploiting SQL injection and directory traversal vulnerabilities.
In one instance, APT41 gained access through an SQL injection vulnerability in a proprietary web application but Mandiant detected and contained the activity. However, two weeks later, APT41 re-compromised the network by exploiting a previously unknown zero-day vulnerability in a commercial-off-the-shelf (CoTS) application, USAHerds.
In two other instances, Mandiant began an investigation at one state agency only to find that APT41 had also compromised a separate, unrelated agency in the same state.
Mandiant added that the hacking group was quick to adapt and use publicly disclosed vulnerabilities to gain initial access into target networks, while also maintaining existing operations.
“On December 10th, 2021, the Apache Foundation released an advisory for a critical remote code execution (RCE) vulnerability in the commonly used logging framework Log4J,” wrote the researchers. “Within hours of the advisory, APT41 began exploiting the vulnerability to later compromise at least two US state governments as well as their more traditional targets in the insurance and telecommunications industries.”
Mandiant said that in late February 2022, APT41 re-compromised two previous US state government victims. This closely aligns with APT41’s May-December 2021 activity, representing a continuation of their campaign into 2022 and demonstrating their unceasing desire to access state government networks, said the company.
Mandiant underlined that the goals of the campaign are currently unknown, although it has observed evidence of APT41 exfiltrating Personal Identifiable Information (PII).
“Although the victimology and targeting of PII data is consistent with an espionage operation, Mandiant cannot make a definitive assessment at this time given APT41’s history of moonlighting for personal financial gain,” stated the researchers.
Members of APT41 were charged by the US Department of Justice (DoJ) in September 2020 in connection with computer intrusion campaigns against over 100 victim companies.
The DoJ said their intrusion facilitated the theft of source code, software code signing certificates, customer account data, and valuable business information. It added these intrusions facilitated the defendants’ other criminal schemes, like ransomware or crypto-jacking schemes.
