According to cybersecurity firm Mandiant, a prolific China hacking group known for carrying out espionage in parallel with financially motivated operations has compromised multiple US state government networks.

APT41, a China-sponsored hackers group, seemingly undeterred by US indictments against five members in 2020, conducted a months-long campaign during which it targeted and successfully breached at least six US state networks.

Between May 2021 and February 2022, the hacking group used vulnerable internet-facing web applications to gain an initial foothold into state government networks.

As TechCrunch reported, the hack included exploiting a zero-day vulnerability in a software application called USAHerds, used by 18 states for animal health control, and the infamous Apache Log4Shell vulnerability, an open-source Java logging library.

A cybersecurity firm threat analyst, Van Ta, said that USAHerds data was not the final target. He said they were tracking the group pivoting into the other parts but “unable to uncover specifically what they were after.”

According to Mandiant’s research, their team uncovered a variety of new techniques, evasion methods, and capabilities used by hackers.

In one instance, after the group gained access to a network via SQL injection vulnerability in a web application, APT41 returned two weeks later to re-compromise the network with a brand new zero-day exploit.

The Chinese group also tailored its malware to their victim’s environments and frequently updated the encoded data on a specific forum post, enabling the malware to receive instructions from the attackers’ command and control server.

Though Mandiant said it saw evidence of the hackers exfiltrating personally identifiable information typically consistent with an espionage operation, the campaign’s goal remains unclear, but whatever the group is after must be of high value.

Geoff Ackerman, a principal threat analyst at Mandiant, said that while the world is focused on the potential of Russian cyber threats in the wake of its invasion of Ukraine, this investigation reminds us that other major threat actors around the world are continuing their operations as usual.

Geoff Ackerman said, “we cannot allow other cyber activity to fall to the wayside.”

Geoff Ackerman concluded that the China hackers group “is truly a persistent threat” and a “reminder that state-level systems in the United States are under unrelenting pressure from nation-state actors like China, as well as Russia.”

Sign up to receive our latest news!

By submitting this form, I agree to the terms.