Mandiant researchers say the hackers responsible for a recent campaign against Barracuda email security gateway (ESG) devices have carried out follow-up attacks against compromised organizations that are “high priority targets” by the Chinese government, and have made substantial efforts to bypass remediation by victims.
A previously unknown threat group, UNC4841, which Mandiant and the FBI this month said has clear links to China, compromised Barracuda ESG appliances around the world between October 2022 and June 2023.
Mandiant was hired by Barracuda to investigate the attacks when they were discovered in May and has been working closely with impacted organizations and authorities in several jurisdictions.
In a research report published today, Mandiant said its analysis shows UNC4841 was able to deploy additional malware to maintain a presence on a smaller group of networks it was targeting, even as organizations scrambled to remediate the initial attacks.
A limited number of victims remained at risk from a novel backdoor malware, called DEPTHCHARGE, that the threat group deployed to maintain persistence in response to remediation efforts.
“UNC4841’s deployment [of] select backdoors suggests this threat actor anticipated, and prepared for remediation efforts, by creating tooling in advance to remain embedded in high-value targets, should the campaign be compromised,” wrote researchers Austin Larsen, John Palmisano, John Wolfram, Matthew Potaczek and Michael Raggi.
“It also suggests that despite this operation’s global coverage, it was not opportunistic, and that UNC4841 had adequate planning and funding to anticipate and prepare for contingencies that could potentially disrupt their access to target networks.”
The lead author of the report, Mandiant senior incident response consultant - Google Cloud, Austin Larsen, told SC Media in a statement that China-aligned espionage groups have been working to improve their operations to be more impactful, stealthy, and effective.
"We’re contending with formidable adversaries that boast vast resources, funding, and the know-how to successfully execute global espionage campaigns undetected,” he said.
About 5% of all Barracuda ESG appliances globally were compromised through the campaign. Mandiant said that while UNC4841 was intent on maintaining persistence across a subset of those devices, since Barracuda released a patch for the initial remote command injection vulnerability (CVE-2023-2868), no new compromises of additional appliances had been detected.
Government agencies and tech companies targeted
As Mandiant examined the tools deployed by UNC4841, they noticed a distinct emphasis on targeting government organizations, information technology companies and other high-tech targets, something that “supports the assessment that the campaign had an espionage motivation,” the researchers said.
One government organization confirmed to have been compromised in the campaign was the Australian Capital Territory Government which administers the Australian federal territory that is home to the nation’s capital city, Canberra.
UNC4841 had been observed attempting to log in to Outlook Web Access mailboxes belonging to users from victim organizations.
From the evidence, when the hacking group did obtain access to email accounts, In the cases where UNC4841 was able to obtain unauthorized access to a limited number of accounts, they do not appear to have sent any email from the compromised account or taken overtly noticeable actions. Mandiant believes the group was likely attempting to maintain access to compromised users’ mailboxes and gather information.
“Due to their demonstrated sophistication and proven desire to maintain access, Mandiant expects UNC4841 to continue to alter their tactics, techniques and procedures and modify their toolkit as network defenders continue to take action against this adversary, and their activity is further exposed by the security community.”
On August 23 the FBI advised Barracuda ESG customers to remove the appliances from their networks immediately. The bureau said the patches Barracuda had issued in response to the vulnerability being exploited by UNC4841 were ineffective.
The Barracuda hack is the second major Chinese espionage campaign targeting Western governments disclosed over the past few months. In July, Microsoft revealed that a separate hacking group linked to Beijing had acquired a private encryption key that granted them widespread access to Outlook and Exchange cloud services, which was used to compromise at least 25 organizations, including the email accounts of Secretary of Commerce Gina Raimondo and officials at the Department of State.
Following Microsoft's disclosure, researchers at Wiz claimed the stolen Microsoft key used in the campaign would have given Chinese hackers access to a much broader range of Microsoft services, including SharePoint, Teams, OneDrive, customers’ applications that support the 'login with Microsoft' functionality, and multi-tenant applications in certain conditions.
Due to Microsoft's policy of charging extra for security logging, Wiz head of research Shir Tamari said it is virtually impossible for many Microsoft customers to know if they were affected by the campaign or detect signs of compromise. Microsoft backtracked on that policy a week later, announcing that it would make certain forms of security logging free for all customers moving forward.