China-backed APT41 compromised ‘at least’ six US state governments

The prolific China APT41 hacking group, known for carrying out espionage in parallel with financially motivated operations, has compromised multiple U.S. state government networks, according to cybersecurity giant Mandiant.

The group — seemingly undeterred by U.S. indictments against five APT41 members in 2020 — conducted a months-long campaign during which it targeted and successfully breached at least six U.S. state networks, all of which have been notified by Mandiant but were not named.

Between May 2021 and February 2022, the hacking group used vulnerable internet-facing web applications to gain an initial foothold into state networks. This included exploiting a zero-day vulnerability in a software application called USAHerds, used by 18 states for animal health management, and the now-infamous so-called Log4Shell vulnerability in Apache Log4j, a ubiquitous Java logging library.

Mandiant said APT41 began exploiting Log4Shell within hours of the Apache Foundation publicly sounding the alarm about the vulnerability in December 2021, which led to the compromise of two U.S. state government networks and other targets in the insurance and telecoms industries. After gaining that foothold on the network, APT41 went on to perform “extensive” credential collection.

The investigation also uncovered a variety of new techniques, evasion methods and capabilities used by APT41. In one instance after APT41 gained access to a network via SQL injection vulnerability in a proprietary web application — activity that was contained by Mandiant — APT41 came back two weeks later to recompromise the network with a brand new zero-day exploit. The group also tailored its malware to their victim’s environments and frequently updated the encoded data on a specific forum post, enabling the malware to receive instructions from the attackers’ command and control server.

Though Mandiant said it saw evidence of the hackers exfiltrating personally identifiable information that’s typically consistent with an espionage operation, the goal of the campaign remains unclear — but whatever the group is after must be of high value.

Geoff Ackerman, principal threat analyst at Mandiant, said that while the world is focused on the potential of Russian cyber threats in the wake of the invasion of Ukraine, this investigation is a reminder that other major threat actors around the world are continuing their operations as usual.

“We cannot allow other cyber activity to fall to the wayside, especially given our observations that this campaign from APT41, one of the most prolific threat actors around, continues to this day,” said Ackerman. “APT41 is truly a persistent threat, and this recent campaign is another reminder that state-level systems in the United States are under unrelenting pressure from nation-state actors like China, as well as Russia.”