WASHINGTON—Hackers believed to be sponsored by the Chinese government have accessed computer systems in six U.S. state governments in a continuing espionage campaign that included the use of the widespread Log4J computer bug detected late last year, according to cybersecurity researchers.
The hacks, which took advantage of vulnerable internet-facing web applications, date to at least May 2021, according to new findings made public Tuesday by the U.S.-based cybersecurity firm Mandiant. As recently as February, two of the victims were hacked again by the same group.
The researchers at Mandiant said the hacks are part of an unusually persistent and aggressive campaign from a prolific Chinese hacking group—dubbed Advanced Persistent Threat 41, or APT 41, by Mandiant—that U.S. officials have previously linked to Beijing’s Ministry of State Security.
The U.S. Justice Department indicted APT 41 hackers in 2020. Though prosecutors didn’t state the hackers worked directly for China’s intelligence service, officials at the time said the nature of the hackers’ activity, including the targeting of pro-democracy politicians and activists in Hong Kong, and other circumstantial evidence pointed to the involvement of Chinese intelligence. In charging papers prosecutors said one of the hackers boasted about his affiliation with the Chinese Ministry of State Security.
China has denied hacking Western businesses or governments. A spokesman for the Chinese Embassy in Washington didn’t immediately respond to a request for comment.
Mandiant didn’t disclose which specific states or government agencies had been breached in the campaign. The firm said that the hackers infiltrated networks in six states and that in some cases more than one computer network belonging to separate agencies in one state were compromised. Mandiant didn’t speculate on the hackers’ goal, but the hackers were seen downloading personal identifiable information from some victim networks, an action consistent with the group’s past espionage activities.
APT 41 has previously been linked to a range of hacking activity against targets in finance, healthcare, real estate and the U.S. defense industrial base. Researchers have said it might be the most prolific of all Chinese hacking groups.
Cybersecurity researchers and U.S. officials have accused the group of moonlighting as for-profit criminals in addition to conducting intelligence missions on behalf of the Chinese state. In 2020, federal prosecutors indicted five Chinese citizens with charges related to alleged hacks of more than 100 companies in the U.S. and overseas, including social-media firms, universities and telecommunications providers, and said those alleged hackers were part of APT 41. The charges coincided with the arrests of two Malaysian businessmen accused of conspiring with the Chinese hackers to profit from intrusions into the videogame industry.
“APT 41 continues to pose a significant threat to public and private organizations alike around the world,” said Geoff Ackerman, principal threat analyst at Mandiant. “We have found them everywhere, and that is unnerving.”
In a campaign persisting over months, the hackers deployed sophisticated tradecraft that included the use of a “zero-day” flaw within a commercial application used by 18 states to track disease outbreaks in animals and report livestock incidents. A zero-day is a hacking tool that is considered potent because it relies on a previously undetected computer flaw.
The APT 41 hackers also were quick to leverage new vulnerabilities to facilitate their break ins, Mandiant said, and were seen using the Log4j flaw within hours of security researchers uncovering and publicizing it in December. Log4J is a widely used piece of open-source logging software that is so common in everyday internet architecture that U.S. officials warned the bug could open the door for a surge in cyberattacks. Cybersecurity researchers warned that the software’s ubiquity likely will translate into threats that could last for years.
Mandiant said the APT 41 hackers leveraged the Log4J flaw to compromise at least two of the state governments, as well as other targets in the insurance and telecommunications industries.
Mandiant’s reporting on the Chinese hacking campaign came as U.S. intelligence officials renewed warnings about China as a particularly capable and dangerous cyber threat to the country.
“We assess that China presents the broadest, most active, and persistent cyber espionage threat to U.S. government and private sector networks,” said the annual threat assessment from the U.S. intelligence community, released Tuesday and presented to Congress. Some of Beijing’s hacking targets are “potentially rich in follow-on opportunities for intelligence collection, attack, or influence operations,” the report said.
Separately, Alphabet Inc.’s Google LLC unit on Tuesday said it agreed to buy Mandiant. Google said the acquisition of Mandiant, slated to close later this year, would complement the security strengths of its Google Cloud business.
Write to Dustin Volz at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
