China-backed APT41 compromised US state networks, security firm says

Hackers exploited vulnerabilities in internet-facing web applications to infect systems

China-backed hacking group APT41 breached six US state government networks between May 2021 and February 2022 by exploiting security vulnerabilities in internet-facing web applications, a new report published by cybersecurity firm Mandiant has revealed.

The notorious threat group, also known as Double Dragon, Barium and Winnti, has a history of targeting both governmental and private sector organisations in order to carry out espionage activities along with financially driven operations.

Mandiant said that APT41 targeted state governments in the United States between May 2021 and February 2022, with its researchers finding evidence of the exfiltration of personally identifying information that was consistent with an espionage operation.

The vulnerabilities exploited by the group included a zero-day (CVE-2021-44207) in the animal health reporting database system USAHERDS as well as the infamous zero-day (CVE-2021-44228) in Log4j that was uncovered in December last year.

Microsoft-based USAHerds system is used by 18 US states to document livestock health.

According to Mandiant, APT41 started mounting assaults targeting Log4j bug within hours after the bug details were publicly disclosed.

The foothold established after the exploitation of Log4j bug enabled attackers to deploy a new variant of a modular C++ backdoor known as KEYPLUG on Linux systems.

The researchers also observed an in-memory dropper called DUSTPAN (StealthVector) during the attacks, allowing actors to execute the next-stage payload, as well as advanced post-compromise tools such as DEADEYE.

According to Mandiant, APT41 can quickly modify their initial access tactics to re-compromise an environment through a different vector, or by fast operationalising a fresh vulnerability.

The organisation also appears to show a willingness to retool and deploy capabilities via new attack vectors, rather than holding onto them for future use.

It's unclear what, if any, information APT41 took from the different state agencies, but the attackers hopped from department to department, and in at least one case, Mandiant discovered evidence of APT41 exfiltrating personally identifiable information from the systems it breached.

In 2020, the US Department of Justice (DoJ) indicted five Chinese individuals and members of the APT41 group for their alleged role in state-sponsored hacking campaigns targeting over 100 firms based in the US and other countries.

The court documents showed that APT41 members were operating probably with the approval of the Chinese government to target hundreds of individuals and organisations, including video game makers, computer hardware manufacturers, telecom firms, social media platforms, think tanks, universities, foreign governments and pro-democracy campaigners in Hong Kong.

Commenting on APT41 and its activities, Brian Fox, CTO of Sonatype said: "The news of China's APT41 hacking group breaching US state government networks tracks with the typical time-lapse we see with zero-day vulnerabilities like Log4Shell. The Equifax breach, which was similar in nature, took around five months to clear the airwaves from the initial exploit. So, from a historical perspective this isn't surprising: a high-spread, low-complex vulnerability equals a 100 per cent chance of being used.

"What is more surprising and even more concerning is our data shows that nearly 40 per cent of Log4Shell downloads are still of vulnerable versions. Meaning there's a high chance that other state and national governments - not just in the US - will be breached in the coming months by bad actors."

Earlier this week, Google announced it is to acquire Mandiant for $5.4 billion.