WASHINGTON — Hackers working on behalf of the Chinese government broke into the computer networks of at least six state governments in the United States in the last year, according to a report released Tuesday by a private cybersecurity firm.
The report from Mandiant does not identify the compromised states or offer a motive for the intrusions, which began last May. But the Chinese group believed responsible for the breaches, APT41, is known to launch hacking operations both for old-fashioned espionage purposes and for financial gain.
“While the ongoing crisis in Ukraine has rightfully captured the world’s attention and the potential for Russian cyber threats are real, we must remember that other major threat actors around the world are continuing their operations as-usual,” said Geoff Ackerman, a principal threat analyst at Reston, Virginia-based Mandiant Inc.
He added in his statement: “We cannot allow other cyber activity to fall to the wayside, especially given our observations that this campaign from APT41, one of the most prolific threat actors around, continues to this day.”
State agencies remain ripe targets for hackers, even as the Biden administration has announced additional steps to safeguard federal government systems from hacking. That’s an especially urgent concern in light of the massive SolarWinds espionage campaign in which Russian intelligence operatives exploited supply chain vulnerabilities to break into the networks of at least nine U.S. agencies and dozens of private-sector companies.
In this case, the report says, the hackers exploited a previously unknown vulnerability in an off-the-shelf commercial web application used by 18 states for animal health management.
In addition, they exploited a software flaw known as Log4j that was discovered in December and that U.S. officials said was possibly present in hundreds of millions of devices. The hackers began exploiting the vulnerability within hours of an advisory that disclosed it to the public, and late last month they re-compromised two previous U.S. state government victims, the report said.
The hackers’ “persistence to gain access into government networks, exemplified by re-compromising previous victims and targeting multiple agencies within the same state, (shows) that whatever they are after it is important,” Rufus Brown, a senior threat analyst at Mandiant, said in a statement. “We have found them everywhere, and that is unnerving.”
The same hacking group, APT41, was implicated in a 2020 Justice Department indictment that accused Chinese hackers of targeting more than 100 companies and institutions in the U.S. and abroad, including social media and video game companies, universities and telecommunications providers.
“Through all the new, some things remain unchanged: APT41 continues to be undeterred by the U.S. Department of Justice (DOJ) indictment in September 2020,” the Mandiant report states.
The Chinese government in the past has described itself as a staunch defender of cybersecurity and has dismissed U.S. accusations of hacking as “groundless” speculation.
Mandiant is being acquired by Google in a deal worth $5.4 billion, the companies announced on Tuesday.