Chinese State-Sponsored Hacking Group Compromised ‘At Least’ Six U.S. State Governments

Using the internet and modern technologies, people can conduct surveillance without having to be physically present.

Gone are the days where government send spies across borders behind "enemy lines" to gather information about targets.

Not anymore that governments need physical access to targets' belongings to uncover secrets.

With the internet, anyone with the right set of tools and knowledge, can conduct espionage from half way cross the globe.

Powerful countries have long engaged in cyberespionage war between each other, and using their intelligence to track, observe and steal information from adversaries.

And this time, a prolific Chinese-backed hacker group has penetrated the networks of at least six state governments in the U.S., found cybersecurity firm Mandiant.

U.S. state government campaign timeline
U.S. state government campaign timeline (Credit: Mandiant)

According to a report from Mandiant, the group responsible is APT41, a well-known threat actor that has a long history of causing troubles.

APT41 is said to have spent at least a year exploiting a number of vulnerable platforms and programs, in order to dig their ways inside the properties of the Unites States.

While the researchers have yet to know the hacking group's intention, APT41 is already known for its cyber espionage capabilities.

APT41, which also goes by the name “Barium” and “Winnti,” is thought to have been active since as far back as 2012.

In 2020, members of the hacking group were indicted in absentia by the U.S. Justice Department for a series of hacking spree that involved hacks into the networks of dozens of private companies and the theft worth millions of dollars. The indictment also alleged that the group was also involved in a diverse array of cybercriminal activities, including crypto-jacking, ransomware, and the theft corporate proprietary information, including "source code, software code signing certificates, customer account data, and valuable business information."

Long story short, according to a US indictment unsealed in September 2020, APT41 has been linked to attempts to breach hundreds of organizations around the world, from hardware makers to pro-democracy politicians in Hong Kong.

APT41 also exploited an insecure farming app called USAHERDS (Animal Health Emergency Reporting Diagnostic System), which is used by state governments to trace diseases in local livestock populations.

APT41 has also exploited Apache log4j, a Java-based logging utility.

Read: The 'Log4j' Bug That Made The Internet Desperately Scrambled For A Fix

[block:block=87]

And this is what exactly happened.

According to the researchers, APT41 took advantage of the widespread Log4j software vulnerability to launch attack that compromised at least six U.S. state governments.

And what began in May 2021 and ended in February 2022, the hacking group used vulnerable internet-facing web applications to gain an initial foothold into state networks. The campaign also included exploiting the aforementioned USAHERDS through a previously unknown zero-day vulnerability which allowed the hackers to compromise any server running the program.

At this time, it is said that USAHERDS is used by at least 18 different U.S. states.

"This is a pretty unique switch," Rufus Brown, a ​​senior threat analyst at Mandiant and the lead author of the report, said about the attacks. "Since May 2021, we’ve seen them just continuously hammer these state governments."

Mandiant said that its investigation started when it was examining an unspecified state’s government computer network.

The investigation also uncovered a variety of new techniques, evasion methods, and capabilities used by APT41.

They include network access via SQL injection, malware attacks, and more.

APT41 wanted by the FBI
APT41 members in FBI's wanted list (Credit: FBI)

Brown, whose company began the investigation after it was contacted by one of the state governments about suspicious activity in its network, said that based on his investigation, he has a "100 percent"” confidence that the attacks were made by APT41.

Geoff Ackerman, principal threat analyst at Mandiant, said that while the world is focused on the potential of Russian cyber threats in the wake of the invasion of Ukraine, this investigation is a reminder that other major threat actors around the world are continuing their operations as usual.

“We cannot allow other cyber activity to fall to the wayside, especially given our observations that this campaign from APT41, one of the most prolific threat actors around, continues to this day,” said Ackerman. “APT41 is truly a persistent threat, and this recent campaign is another reminder that state-level systems in the United States are under unrelenting pressure from nation-state actors like China, as well as Russia.”

Mandiant added that the hacking group APT41 has already been FBI's target.

"It’s very persistent, very continuous, and they keep coming back for whatever they want," the report said. "We likely assess that there are more states affected."

As for China, its officials have denied for years that it has ever facilitated cyberattacks targeting other countries, saying that it too is a victim of hacking.

Read: The U.S. Has Been Spying On Hundreds Of Targets, With China As Its Key Target