A technically advanced hacking group backed by the Chinese government has compromised the computer systems of at least six US state governments, according to a newly published threat report from cybersecurity firm Mandiant.
The group, which Mandiant refers to as APT41, targeted state governments in the US between May 2021 and February 2022, according to the report. Where networks were breached, Mandiant found evidence of the exfiltration of personally identifying information “consistent with an espionage operation,” although the company said that it could not make a definitive assessment of intent at this time.
All in all, Mandiant’s research paints a picture of a formidable, constantly adapting adversary.
“APT41’s recent activity against U.S. state governments consists of significant new capabilities, from new attack vectors to post-compromise tools and techniques,” the report reads. “APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability. The group also demonstrates a willingness to retool and deploy capabilities through new attack vectors as opposed to holding onto them for future use.”
A spokesperson from the Cybersecurity and Infrastructure Security Agency (CISA) confirmed to The Verge that the agency was aware of the threat. In a statement, the spokesperson said:
“CISA is actively working with our JCDC [Joint Cyber Defense Collaborative] private sector partners, including Mandiant, and government partners to address this advanced persistent threat to state government agencies and assist impacted entities. We encourage all organizations and critical infrastructure entities impacted by cyber intrusions to report to CISA, and to visit CISA.gov to take action to protect themselves.”
“APT41’s recent activity against US state governments consists of significant new capabilities”
Mandiant has a history of uncovering severe cybersecurity threats, including state-sponsored attacks like the SolarWinds hack mounted against major US government agencies by hackers believed to be backed by the Russian government. The company was also recently acquired by Google in a deal announced alongside the release of the report.
According to Mandiant’s research, the APT41 group was able to breach the government networks by exploiting vulnerabilities in applications built with Microsoft’s .NET developer platform, including one previously unknown vulnerability in the animal health reporting database system USAHERDS.
First developed for the Pennsylvania Department of Agriculture, USAHERDS was touted as a model for improving disease traceability in livestock and subsequently adopted by other states. But a coding oversight led to the encryption keys that authorized certain operations within the application being “hard-coded” — meaning that it was the same across all instances of USAHERDS, and compromising just one installation would allow a hacker to execute their own code on any system running the software.
Rufus Brown, a senior threat analyst at Mandiant, told The Verge that the full scale of the breach could include more targets than the six that are currently known.
“We say ‘at least six states’ because there are likely more states affected, based on our research, analysis, and communications with law enforcement,” Brown said. “We know that there are 18 states using USAHERDS, so we assess that this is likely a broader campaign than the six states where we have confirmation.”
An email sent to Acclaim Systems, the developers of USAHERDS, had not received a response at time of publication.
“We say ‘at least six states’ because there are likely more states affected, based on our research, analysis, and communications with law enforcement”
Besides the compromise of .NET-based applications, APT41 also exploited the Log4Shell vulnerability, a serious and widespread bug in the Java Log4j library that was publicly disclosed in December 2021. According to Mandiant’s analysis, APT41 began to mount attacks that exploited Log4j within only hours of details of the vulnerability being published and used the vulnerability to install backdoors into Linux systems that would give them ongoing access at a later date.
All of this points towards the sophistication and stealth of the APT41 group, characteristics that have been a hallmark of its operation since it was first discovered.
In cybersecurity parlance, “APT” designations are given to Advanced Persistent Threats — the most sophisticated level of threat actor and one that is typically either directly employed by a national government (e.g., the notorious Sandworm group, believed to be a unit of Russia’s GRU military intelligence agency) or an elite hacker group operating with state backing.
The activities of APT41 were first detailed in-depth in a report from cybersecurity firm FireEye, which nicknamed the hacking group “Double Dragon” for its dual focus on espionage and financial cybercrime. Among other things, the FireEye report outlines a history of supply chain attacks against software developers going back as far as 2014; in some documented cases, APT41 hackers were even able to inject malicious code into video game files that were sold to users by legitimate games distributors.
“This stuff is not going to end until the folks behind it are arrested”
The actions of the hacking group eventually brought it to the attention of US authorities, and the Department of Justice issued charges against five members of APT41 in 2019 and 2020, landing them a place on the FBI’s cyber most wanted list as a result.
While APT41 has been known to conduct financial crime as well as espionage operations, Mandiant researchers believe that in this case, the goal is the latter.
“This is pretty consistent with an intelligence operation, likely espionage,” Brown told The Verge. “Whatever they’re after here is really important, and it seems like they’ll continue to go after it ... At the end of the day, this stuff is not going to end until the folks behind it are arrested.”
The FBI did not respond to a request for comment.
Updated March 9 at 9:35am to include CISA statement.