A hacker group backed by the Chinese regime has exploited vulnerabilities in the online systems of at least six U.S. state governments in order to compromise and gain access to those networks, cybersecurity firm Mandiant said on March 8.
Mandiant’s lengthy report presents the findings of an investigation that began in the spring of 2021, in response to a breach by a hacker group known as “APT41” of an unnamed state government’s system, and continued through last month.
“Our investigation into APT41 activity between May 2021 and February 2022 uncovered evidence of a deliberate campaign targeting U.S. state governments. During this timeframe, APT41 successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications, often written in ASP.NET,” the report stated.
ASP.NET, developed by Microsoft, is an open-source web framework enabling users to construct internet apps and services on the .NET platform. The weaknesses and vulnerabilities of some versions of ASP.NET have been public knowledge for years. The website CVE Details has even published lists of various design flaws, such as the inability to handle an unencrypted view state or the vulnerability to a denial of service transmitted via a SOAP message, that might allow hackers and other bad actors to attack and disrupt apps and services utilizing ASP.NET.
Despite these vulnerabilities, some states in the U.S. continue to utilize the platform for web-facing systems. The Mandiant report did not name the six states known to have suffered APT41 breaches during the period under review.
The motive for the attacks is financial, and specifically the hackers’ personal gain, according to Mandiant.
Cyberespionage on the part of APT41 is not a new phenomenon, the report stated, referencing the organization’s long record of mass scanning and exploitation of vulnerabilities. APT 41 is known to have targeted computer and internet systems and networks in industries and sectors as diverse as banking, defense, education, the legal industry, oil and gas, real estate, telecommunications, and travel.
In 2020, five Chinese nationals from the hacker group were indicted in the United States on charges relating to sprawling hacking campaigns to steal trade secrets and sensitive information from more than 100 companies and entities worldwide.
What sets apart the breaches detailed in the new report is their deliberate targeting of U.S. state governments.
Mandiant’s report detailed how a favorite target of the Chinese hackers has been the USAHerds app, which 18 states utilize to keep track of the health of animals and coordinate responses to any outbreaks. Three investigations carried out in 2021 led to findings that APT41 had seized upon a zero-day vulnerability in the USAHerds app to breach its security.
Mandiant also relays the surprising finding that, even after a highly similar vulnerability had come to light in Microsoft Exchange Server, which made use of a decriptionKey and static validationKey, USAHerds installations relied on the same machineKey values.
The new report comes amid warnings that the Chinese regime is on track to becoming a global cyber superpower. It is also the latest in a string of breaches allegedly attributed to Chinese state-sponsored hackers.
Chinese hackers are widely suspected of having orchestrated the long-running cyberattack announced last month which targeted News Corp., publisher of the Wall Street Journal and the New York Post.
Last year, the United States formally attributed the massive breach of Microsoft’s email server to hackers affiliated with the regime’s top intelligence agency, the Ministry of State Security. The hack compromised tens of thousands of systems globally.