March 8 (UPI) -- Chinese government-backed hackers have breached at least six U.S. state government networks since last May, Mandiant cybersecurity firm confirmed Tuesday in a new report.
Mandiant identifies the Chinese-state sponsored espionage hacking group as APT 41 in the new report, and classifies it among the Advanced Persistent Threats groups, which it pays special attention to since they receive direction and support from the national government.
APT41 exploited vulnerabilities in web applications to compromise at least six U.S. state government networks between May 2021 and February 2022, according to the report.
In particular, APT41 exploited "a previously unknown zero-day vulnerability in a commercial-off-the-shelf (CoTS) application, USAHerds," the report said.
Related
- Shadowy hackers group Anonymous declares cyberwar on Russia for Ukraine invasion
- Dow falls 166 points amid Ukraine conflict; markets on pace for 4% loss in February
- Meta uncovers Facebook disinformation, hacking campaigns targeting Ukraine
- Ukraine ambassador asks South Korea for help against Russian cyberattacks
- Ukrainian gov't websites down after multiple cyberattacks amid Russian invasion
The vulnerability exploited in the application, which 18 states use for animal health management, was similar to a previously reported vulnerability in Microsoft Exchange Server where the encryption keys were shared in all installations.
Sharing these encryption keys went "against the best practices of using uniquely generated machineKey values per applications instance," so "once APT41 obtained the machineKey, they were able to compromise any server on the Internet running USAHerds," the report said.
The report noted that this means there "are potentially additional unknown victims," beyond the six states confirmed, and Mandiant Senior Threat Analyst Rufus Brown told The Verge "this is likely" the case.
"We say 'at least six states' because there are likely more states affected, based on our research, analysis, and communications with law enforcement," Brown said. "We know that there are 18 states using USAHerds, so we assess that this is likely a broader campaign than the six states we have have confirmation."
The APT41 also exploited the Java Log4j vulnerability, also known as Log4Shell, which allows remote code execution on vulnerable servers, and was previously disclosed in December.
"In late February, APT 41 re-compromised two previous U.S. state government victims," the report added, "demonstrating their unceasing desire to access state government networks."
Though the intent of the hackers is not yet known, "this is pretty consistent with an intelligence operation, likely espionage," Brown told The Verge. "Whatever they're after here is really important, and it seems like they'll continue to go after it...At the end of the day, this stuff is not going to end until the folks behind it are arrested."
Back in September 2020, the Justice Department charged five fugitive Chinese nationals of the hacking group and two Malaysian nationals who conspired with them to profit from attacks. The attacks included targeting more than 100 companies, pro-democracy organizations and universities worldwide to steal proprietary information and digital currency, resulting in millions of dollars in losses.
Mandiant has also played a role in helping Microsoft uncover the Russian government-backed SolarWinds hack against U.S. government agencies in 2020.
Google announced Tuesday it's buying Mandiant for about $5.4 billion to protect customers.
