IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Mandiant Reports 6 U.S. States Hacked by China-Backed Actors

China state-backed APT41 hacked at least six states between May 2021 and February 2022. Several of the incidents occurred when hackers exploited flaws in Log4J and the USAHERDS system, reports cybersecurity firm Mandiant.

A hacker wearing a hoodie with the chines flag and lines of code in the background.
Chinese government-sponsored attackers have managed to hack at least six states, according to a March 8 blog post from cybersecurity firm Mandiant. The company did not reveal which states were affected but said U.S. state governments appear to have been deliberately targeted rather than simply falling victim to an indiscriminate mass attack.

Some of the attacks were made after hackers discovered encryption keys to USAHERDS, a software application used by 18 state governments. Once known, these same keys could work against every server running USAHERDS, Mandiant said, meaning that more than just these six states could have been impacted. According to WIRED, Mandiant says the software’s developer, Acclaim Systems, has since patched the vulnerability.


APT41: CYBER ESPIONAGE AND PERSONAL PROFIT


The hackers are a Chinese state-backed cyber espionage group with a history of targeting public- and private-sector organizations, Mandiant wrote. Mandiant labels this group APT41, and it’s likely the same group that other cybersecurity firms call “Barium” or “Wicked Panda,” according to the Washington Post.

Hackers appear to have conducted “extensive reconnaissance and credential harvesting,” and extracted personal identifiable information (PII), which could be desirable in a cyber spying campaign. But Mandiant also said it is too early to determine APT41’s objectives. The group has a track record of using attacks to both advance government spying and turn personal profit, making it difficult to pinpoint its goals.

USAHERDS, LOG4J AND MORE


The investigated attacks occurred between May 2021 and February 2022 and took several different forms. In several instances, hackers returned to re-target the same states they had already attacked, “demonstrating their unceasing desire to access state government networks,” Mandiant said.

At least two state governments were compromised when APT41 exploited the Log4Shell vulnerability — and something it began working on mere hours after the weakness was publicly disclosed. That vulnerability impacts Log4j, a piece of open source software incorporated deep into many other software programs.

In three 2021 instances, state systems were breached through a weakness in a livestock disease tracking application called USAHERDS. The attackers gained access by exploiting a zero-day vulnerability — a newly discovered weakness for which there was not yet a patch.

USAHERDS proved to be particularly risky because it was developed in a way so that the same encryption keys work on all installations of the tool, rather than each one having its own. This “is against the best practice of using uniquely generated machineKey values per application instance,” Mandiant says.

Once APT41 got the keys to compromise one instance of USAHERDS, “they were able to compromise any server on the Internet running USAHERDS,” Mandiant writes. “As a result, there are potentially additional unknown victims.”

Eighteen states use USAHERDS, according to the Mandiant post. WIRED reports that Mandiant informed the developer behind USAHERDS of the issue in late 2021 and that it has since been patched.