A hacking group tied to the Chinese government has exploited zero-day vulnerabilities in internet-facing web applications — including Log4j — to compromise the networks of at least six U.S. state governments over the past year, according to threat intelligence firm Mandiant.
The earliest signs of the campaign were detected in May 2021 and have continued through at least February 2022. Attackers leveraged a number of zero-day vulnerabilities, such as Log4j and a previously undiscovered flaw in USAHerds, a commercial-off-the-shelf application used for tracing animal diseases.
The hacking group, APT41, is believed to be associated with the Chinese Ministry of State Security and is known for targeting industries and intellectual property for technologies that are aligned with China’s 13th five-year economic plan, including the telecommunications, health care, and high tech sectors. They have also been observed targeting higher education, media firms and the video game industries, and they are relatively unique as one of the few state-connected APTs that appear to hack both for espionage and financially motivated reasons.
Rufus Brown, a senior threat analyst at Mandiant, said the use of Log4j is notable because it demonstrates how quickly some state-sponsored groups were able to move to exploit the vulnerability. Just hours after Log4j was disclosed in December 2021, APT41 began incorporating it into their ongoing campaign to compromise at least two state governments. While there is evidence that APT41 also used Log4j against private insurance and telecommunications firms, the targeting of U.S. state governments in this campaign was specific and deliberate.
“They are going after any external web application server that they can exploit... anything they can get to gain a foothold in state government environments,” said Brown.
In the weeks following Log4j's disclosure, agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and private threat intelligence firms initially reported low levels of exploitation by criminal actors for things like cryptocurrency mining, but Brown said there is increasingly evidence that state-backed hacking groups were able to quickly exploit the bug, as well.
Meanwhile, the use of another zero-day flaw in USAHerds (CVE-2021-44207) indicates that the victim set could go beyond the initial six states identified by Mandiant. The application uses the same static validation and decryption keys across all applications by default, and the vulnerability exploits this fact to compromise any sever connected to the internet running the application. A GitHub page compiled by Mandiant for the bug states that the bug, now patched, affects all builds for USAHerds prior to November 2021.
While it’s not known how APT41 obtained the original machine key values, it would theoretically allow them to exploit the same weakness in other states that use USAHerds. At least 18 states are known to use the software, and Brown said it is likely that other states have been compromised by the flaw and don’t know it.
They’re also persistent in two instances Mandiant said it began investigating a compromise at one state agency only to find the group inside the network of another. As recently as Feb. 22, attackers were observed re-compromising the IT systems of two states they had previously broken into, often using different initial access vectors and tactics, techniques and procedures.
“The most important takeaway I have is the creativity and operational capability that APT41 has,” Brown said. “They were conducting operations against U.S. state governments and then switched to Log4j when [proofs of concept code] came out in an advisory. They took advantage of what they had.”
APT41 has a long history of targeting U.S. and Western technology secrets. Between 2019 and 2020, the Department of Justice indicted five hackers from the group for targeting more than 100 companies in the United States and other countries while seizing hundreds of accounts, servers, domain names and command and control pages used by the group to carry out operations. The victims included software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, non-profit organizations, universities, think tanks and foreign governments.
In some cases the attackers exfiltrated unspecified personally identifiable information (PII), something that would be consistent with the espionage-minded background and goals of previous operations by APT41. However, Brown said that for all six of the state governments where APT41’s presence was detected, the intruders were kicked out before they could complete their full attack chain. As a result, Mandiant is shying away from making a formal assessment of the group’s goals at this time.
“We haven’t observed any sign that this campaign is stopping. Whatever they’re going after must be very important,” Brown noted.