China-backed hackers breached government networks in at least six US states, per new report

A technically avant-garde hacking group backed by the Chinese government has compromised the calculator systems of at to the lowest degree half dozen US state governments, according to a recently released threat written report by cybersecurity house Mandiant.

The grouping, which Mandiant calls APT41, targeted Usa state governments between May 2021 and February 2022, according to the report. Where networks were hacked, Mandiant found evidence of the exfiltration of personally identifiable information ‘consistent with a spy operation’, although the company said it could not make an assessment. definitive of intent for the time being.

Overall, Mandiant’southward inquiry paints a moving picture of a formidable antagonist that is constantly adapting.

“APT41’southward recent activity confronting US country governments consists of meaning new capabilities, ranging from new attack vectors to postal service-compromise tools and techniques,” the written report said. “APT41 can quickly adapt its initial admission techniques by re-compromising an environment through a different vector, or quickly operationalizing a new vulnerability. The grouping also demonstrates a willingness to retool and deploy capabilities through new attack vectors instead of saving them for future apply.

A spokesperson for the Cybersecurity and Infrastructure Security Agency (CISA) confirmed
The edge
that the agency was aware of the threat. In a statement, the spokesperson said:

“CISA is actively working with our JCDC [Joint Cyber Defense Collaborative] private sector partners, including Mandiant, and government partners to accost this avant-garde persistent threat to country government agencies and assistance afflicted entities. We encourage all disquisitional infrastructure organizations and entities impacted by cyber intrusions to study to CISA and visit CISA.gov to have steps to protect themselves.

Mandiant has a history of uncovering serious cybersecurity threats, including country-sponsored attacks like the SolarWinds hack mounted against primal US government agencies by hackers believed to be backed past the Russian government. The company was too recently acquired by Google in a deal announced alongside the release of the written report.

Co-ordinate to Mandiant’south research, the APT41 group was able to penetrate authorities networks by exploiting vulnerabilities in applications built with Microsoft’s .NET evolution platform, including a previously unknown vulnerability in Microsoft’s database system. USAHERDS animal health reports.

First developed for the Pennsylvania Department of Agronomics, USAHERDS was introduced as a model for improving disease traceability in livestock and was later adopted by other states. But a coding oversight led to the encryption keys that allowed certain operations within the application being “hard-coded” – meaning they were the same across all instances of USAHERDS, and compromising a single installation would allow a hacker to run their own code on any organization running the software.

Rufus Brown, Principal Threat Annotator at Mandiant, said
The edge
that the full scale of the breach could include more targets than the half dozen currently known.

“We say ‘at to the lowest degree six states’ because there are likely more than states affected, based on our research, analysis and communications with constabulary enforcement,” Brown said. “We know 18 states are using USAHERDS, so we believe this is likely a broader entrada than the six states where we take confirmation.”

An email sent to Acclamation Systems, the developers of USAHERDS, had not received a response at the time of publication.

In add-on to compromising .Internet-based applications, APT41 as well exploited the Log4Shell vulnerability, a astringent and widespread problems in the Log4j Coffee library that was publicly disclosed in December 2021. According to Mandiant’s assay, APT41 has started to mount attacks that exploited Log4j in just hours of published vulnerability detail and used the vulnerability to install backdoors into Linux systems that would give them continued access at a later date.

All this indicates the sophistication and stealth of the APT41 group, characteristics that take characterized its functioning since its discovery.

In cybersecurity parlance, “APT” designations are given to Avant-garde Persistent Threats – the most sophisticated level of threat actor and one that is typically either directly employed by a national regime (due east.one thousand., the notorious Sandworm Grouping, considered a unit of the Russian GRU military intelligence agency) or an elite hacker group operating with state support.

APT41’s activities were offset detailed in a report by cybersecurity house FireEye, which dubbed the hacking group “Double Dragon” for its dual focus on espionage and financial cybercrime. Amongst other things, the FireEye report describes a history of supply chain attacks against software developers dating dorsum to 2014; in some documented cases, APT41 hackers were even able to inject malicious code into video game files sold to users past legitimate game distributors.

The hacking group’s actions eventually brought information technology to the attention of U.s. government, and the Department of Justice brought charges confronting 5 APT41 members in 2022 and 2020, earning them a spot on the listing. of the FBI’south well-nigh wanted people.

While APT41 is known to carry out financial crime operations as well as espionage, Mandiant researchers believe that in this case the target is the latter.

“It’s pretty consistent with an intelligence operation, probably espionage,” Brown said.
The edge. “Everything they’re looking for here is really important, and it looks like they’ll proceed looking for it… Ultimately, this stuff isn’t going to end until the people backside information technology are stopped.”

The FBI did not respond to a asking for comment.

Updated March 9 at 9:35 a.m. to include the CISA argument.