Security researchers at Mandiant say China-backed hackers are likely behind the mass-exploitation of a recently discovered security flaw in Barracuda Networks’ email security gear, which prompted a warning to customers to remove and replace affected devices.
Mandiant, which was called in to run Barracuda’s incident response, said the hackers exploited the flaw to compromise hundreds of organizations likely as part of an espionage campaign in support of the Chinese government.
Almost a third of the targeted organizations are government agencies, Mandiant said in a report published Thursday.
Last month, Barracuda discovered the security flaw affecting its Email Security Gateway (ESG) appliances, which sit on a company’s network and filter email traffic for malicious content. Barracuda issued patches and warned that hackers had been exploiting the flaw since October 2022. But the company later recommended customers remove and replace affected ESG appliances, regardless of patch level, suggesting the patches failed or were unable to block the hacker’s access.
In its latest guidance, Mandiant also warned customers to replace affected gear after finding evidence that the China-backed hackers gained deeper access to networks of affected organizations.
Barracuda has about 200,000 corporate customers around the world. Barracuda said in a statement, provided by Emma Goulding, a spokesperson for Barracuda via public relations firm Highwire, that about 5% of active ESG devices worldwide showed evidence of compromise as of June 10.
Mandiant is attributing the hacks to an as-yet-uncategorized threat group it calls UNC4841, which shares infrastructure and malware code overlaps with other China-backed hacking groups. Mandiant’s researchers say the threat group exploited the Barracuda ESG flaws to deploy custom malware, which maintains the hackers’ access to the devices while it exfiltrates data.
According to its report, Mandiant said it found evidence that UNC4841 “searched for email accounts belonging to individuals working for a government with political or strategic interest to [China] at the same time that this victim government was participating in high-level, diplomatic meetings with other countries.”
Given that a large portion of the targets were government entities, the researchers said this supports their assessment that the threat group has an intelligence-gathering motivation, rather than conducting destructive data attacks.
Mandiant’s chief technology officer Charles Carmakal said the hacks targeting Barracuda customers is the “broadest cyber espionage campaign” known to be conducted by a China-backed hacking group since the mass-exploitation of Microsoft Exchange servers in 2021, which Mandiant also attributed to China.
Liu Pengyu, a spokesperson for the Chinese Embassy in Washington D.C., said the allegations that the Chinese government supports hacking is “completely distorting the truth.”
“The Chinese government’s position on cyber security is consistent and clear. We have always firmly opposed and cracked down on all forms of cyber hacking in accordance with the law,” the spokesperson said, while also accusing the U.S. government of violating international law by carrying out similar espionage activities, but without providing evidence for the claims.
Updated with comment from Barracuda.