Three separate Chinese state-sponsored advanced persistent threat groups have been observed targeting victims, including U.S. state governments, European diplomatic entities and Gmail accounts linked to the U.S. government.
The first group, APT41, also known as Wicked Panda and Winti, is believed by researchers at Mandiant Inc. to have successfully compromised at least six U.S. state government networks. The APT did so by exploiting vulnerable internet-facing web applications, including using zero-day or hitherto undiscovered vulnerabilities in the USAHerds application and Apache Log4j.
The campaign by APT41 ran between May 2021 and February 2022. Although Chinese state-sponsored actors targeting networks in the West is not new, the researchers note that one remarkable aspect is how quickly they act to exploit vulnerabilities when they become known.
In the case of the now-infamous Log4j vulnerability, the Chinese hackers were exploiting the vulnerability within hours of it being disclosed. The exploitation of the initial Log4j vulnerability — there ended up being multiple vulnerabilities — directly led to the compromise of two U.S. state government networks as well as other targets in insurance and telecoms. Having gained access, APT41 then undertook extensive credential collection.
APT41 was linked by the BlackBerry Ltd. Research & Intelligence team to a range of previous campaigns in October. The U.S. Department of Justice indicted five Chinese nationals and two Malaysians linked to the group in September.
“Based on my extensive experience in tracking nation-state adversaries, China is deeply concerned with knowing as much as they can at all times,” Aubrey Perin, lead nation-state threat intelligence analyst at information security and compliance firm Qualys Inc., told SiliconANGLE. “Their belief system around information being a public domain differs with the United States’ notion of intellectual property. As long as China is not spying for the sake of harming others, it is on brand for them to be poking about in ways that come to fruition in instances such as these.”
The second campaign, detailed by researchers at Proofpoint Inc., relates to the…