A hacking group linked to the Chinese government has compromised the networks of at least six state governments since last May using multiple vulnerabilities, including one discovered late last year in the popular Log4j logging tool, according to research published Tuesday by Mandiant.
The activity by APT41, an operation that U.S. officials have tied to China’s Ministry of State Security — the country’s civilian intelligence bureau — has been aggressive and ongoing, and represents a new focus from the group on U.S. state governments, Mandiant researcher Rufus Brown told StateScoop.
“There has been a lot of focus on U.S. state government victims,” Brown said.
The hacking campaign began in May when APT41 gained access to a state-government network with malicious code injections against a proprietary web application. While Mandiant said it quickly thwarted that attempt, the hacking group returned two weeks later with an exploitation of a zero-day vulnerability in USAHerds, a piece of commercial software used by state agriculture agencies to track disease outbreaks in livestock.
‘It’s a foothold’
Mandiant found three states where APT41 compromised networks through the USAHerds vulnerability, though it did not name them. At least 18 state agriculture agencies use that software to manage cattle and poultry health. Researchers also found that other pieces of enterprise software written using Microsoft’s ASP.NET framework were targeted during the hacking effort.
Brown said APT41 used its exploitation of USAHerds to gain broader access into state networks.
“They are leveraging anything they can that is connected to the internet,” he said. “It’s a foothold into the environment.”
According to Mandiant’s Github page, the cybersecurity firm notified USAHerds’ publisher, Acclaim Systems, of the zero-day last Nov. 23, with Acclaim stating that it had recently issued a patch. But APT41’s campaign against state governments — and other organizations in the insurance and telecommunications industries — accelerated last December with the disclosure of the Log4j vulnerability.
Brown said that within two hours of the Apache Foundation’s Dec. 10 advisory that Log4j was susceptible to remote code executions that could allow attackers to take over affected devices, APT41 operators were on the move. The vulnerability’s potential to reach hundreds of millions of devices worldwide led Cybersecurity and Infrastructure Security Agency Director Jen Easterly to call it at the time “one of the most serious I’ve seen in my entire career, if not the most serious.”
“The vulnerability had so much impact,” Brown said. “[APT41] switched over to this to gain more access. They continued to maintain access while exploiting Log4j at a wide variety of victims.”
‘All killer, no filler’
The Mandiant report also refers to the hacking group’s tactics as “all killer, no filler,” an appellation usually reserved for hard-charging rock albums, but which Brown said applied here because APT41 has changed up its techniques to maintain and regain access to state networks.
“Their [tactics, techniques and procedures] constantly change,” he said. “They employed really evasive techniques in their malware. Once they would get evicted, they would come back.”
Indeed, as recently as Feb. 26, two state governments where Mandiant had observed APT41 activity were breached again, the report reads.
APT41, which was first identified in 2019, is also known by other companies as Barium, Wicked Spider or Winnti. While Mandiant has documented the group’s activity and versatility, less clear is the group’s motive for focusing on state government. Previous campaigns linked to the group have gone after information and data from the telecom, semiconductor and gaming industries — last October, it was suspected of impersonating the Indian government with phishing emails crafted to prey on COVID-19 fears.
The Justice Department indicted seven suspected members of the group in September 2020, though five of those individuals are Chinese nationals who U.S. authorities cannot reach.
“A big highlight is that we are not sure what they really want, but they really want to get what they want,” Brown said. “State governments have access to a lot of different parts of critical infrastructure. At this time we can’t make an assessment on what they’re going after.”