China Backed Hackers Compromised Six US State Governments – Mandiant

APT41, said to be one of the most effective hacking teams backed by the Chinese government, has compromised the networks of at least six US state government networks.

This is the warning from Mandiant on Tuesday, after it began investigating an APT41 intrusion targeting a US state government computer network back in May 2021.

Mandiant said that was just the beginning of its “insight into a persistent months-long campaign conducted by APT41 using vulnerable Internet facing web applications as their initial foothold into networks of interest.”

US State compromises

APT41 goes by a number of other names, including Double Dragon, Barium, Winnti, Wicked Panda, Wicked Spider, TG-2633, Bronze Atlas, Red Kelpie, and Blackfly.

In a blog post on Tuesday, Mandiant detailed “APT41’s persistent effort that allowed them to successfully compromise at least six US state government networks (between May 2021 and February 2022) by exploiting vulnerable Internet facing web applications, including using a zero-day vulnerability in the USAHerds application (CVE-2021-44207) as well as the now infamous zero-day in Log4j (CVE-2021-44228).”

Mandiant said that the overall goals of APT41’s campaign remain unknown, but its investigations into each of those intrusions have revealed a variety of new techniques, malware variants, evasion methods, and capabilities.

“Although APT41 has historically performed mass scanning and exploitation of vulnerabilities, our investigations into APT41 activity between May 2021 and February 2022 uncovered evidence of a deliberate campaign targeting US state governments,” the security firm noted.

It said APT41 exploited vulnerabilities in web applications to get their initial foothold into state government networks.

However the hackers also took advantage of software flaws and quickly exploited security vulnerabilities that were made public by researchers.

The hackers also adapted their tools to attack via different methods, it said.

“APT41′s recent activity against US state governments consists of significant new capabilities, from new attack vectors to post-compromise tools and techniques,” the researchers said.

“APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalising a fresh vulnerability,” Mandiant added.

It should be remembered that US authorities are already aware of APT41.

In September 2020, the US Department of Justice indicted five Chinese nationals, including some it alleged were part of APT41, with computer intrusions affecting over 100 victim companies in America and abroad.

Mandiant said Tuesday that APT41 appeared to be “undeterred” by the indictment and its goals remain “unknown.”

Hackers for hire

Back in 2019, FireEye warned that APT41 dabbles in cyber crime operations for cash.

It said that members of API41 carried out state-sponsored espionage activity, in parallel with financially motivated operations.

In March 2020, FireEye also warned of a “widespread hacking campaign” being carried out by APT41, after it saw “APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers.”

Earlier this week Google confirmed it will acquire veteran cybersecurity specialist Mandiant in a transaction valued at roughly $5.4 billion. Mandiant will eventually join Google Cloud.