Beijing’s spies compromised government computer networks in six US states by exploiting, among other flaws, a vulnerability in a cattle-counting system, according to Mandiant.
Meanwhile, Proofpoint reckons a China-aligned miscreant is targeting European governments. Both firms warned this week that Middle-Kingdom-backed snoops are stepping up their operations against Western targets.
Mandiant said APT41 aka Double Dragon, one of China’s more aggressive intrusion crews, exploited a zero-day vulnerability in a web app called USAHerds, used by agriculture officials to track the health and density of the nation’s livestock, as well as the Log4j flaw, to break into American local government systems. Once inside, APT41 deployed custom in-memory Windows malware that was periodically restarted as a scheduled task to ensure persistence.
Speaking of APT41, Mandiant analyst Rufus Brown told The Register on Tuesday: “Lately, it’s mainly just been focused on US state government networks, and also some areas within Southeast Asia that have been pretty highly targeted.”
It’s mainly just been focused on US state government networks, and also some areas within Southeast Asia that have been pretty highly targeted
You can read Mandiant’s full report here for the details on APT41’s exploits, which range from SQL injections to directory traversal to deserialization attacks, that led to its intrusions into the American public sector. The Chinese crew also abused the Log4j vulnerability uncovered last year, exploitation of which “began shortly after the release” of proof-of-concept attack code in December 2021.
“KEYPLUG,” said Mandiant, giving its nickname for APT41’s Windows malware, “is a modular backdoor written in C++ that supports multiple network protocols for command and control (C2) traffic including HTTP, TCP, KCP over UDP, and WSS.”
“The goals of this campaign are currently unknown,” continued the threat intel outfit, adding it “has observed evidence of APT41 exfiltrating personal identifiable information” from the computers it compromised. Brown told El Reg the criminal crew’s use of red-teaming tool Cobalt Strike, now well known among infosec bods as an indicator of compromise, appeared not to have let up.
A US Health Sector Cybersecurity Coordination Center report [PDF] from last year reiterated a previous Mandiant finding that APT41 was “attributable to Chinese individuals working on behalf of the Chinese government” who were also stealing data for private resale to enrich themselves.
APT41 also used the early stages of the COVID-19 pandemic to compromise Western institutions while world leaders’ attention was elsewhere.
And their tub-thumping stablemates
Separately, Proofpoint published research about a Chinese crew it tracks as TA416, adding this is not the same as APT41.
“We have not observed overlap between TA416 [APT41] and the group we track as TA415. We also believe that the tactics used by the actors are very distinct and we do not see parallels between the groups,” said Sherrod DeGrippo, Proofpoint’s threat research veep.
“TA416 has been using web bugs to target victims prior to delivering malicious URLs that have installed a variety of PlugX malware payloads,” added the biz in a blog post published Tuesday.
These web bugs, or tracking pixels as they’re better known, are a familiar thing from email marketing campaigns. Proofpoint said TA416’s operatives were using them as part of a campaign targeting “European diplomatic entities” a couple of weeks ago when Russia invaded Ukraine.
“The emails first originated from a spoofed sender that impersonated a Meetings Services Assistant at the United Nations General Assembly Secretariat,” stated Proofpoint, adding that the messages were sent via the SMTP2Go marketing service.
A seemingly low-effort campaign, TA416 was emailing diplomats with links to Dropbox-hosted PlugX malware previously analysed by Recorded Future. The Register reported on a very similar campaign all the way back in 2014, which had the same hallmarks of email, Dropbox, and the PlugX remote access trojan (RAT).
“Once TA416 reads this latest publication regarding their tactics, researchers at Proofpoint fully anticipate they will remain the metaphorical ‘Tubthumping’ of the APT landscape,” concluded the company, somewhat bizarrely, before explaining: “Researchers can publish their tactics but will never keep them down.”
For readers not familiar with the Chumbawamba song to which this refers, we’ve embedded it below. Perhaps we should start compiling a Top Ten of threat intel songs? ®
Bootnote
Regarding TA416 and APT41, infosec firms have a tedious habit of pretending nobody else’s research exists when they publish their own, leading to single groups of threat actors having upwards of a dozen nicknames.
Even the British government has got in on this act: whenever it attributes a Russian state-backed hacking attempt it does so using the Russian military unit’s unique number, requiring yet more legwork to deconflict the name into something the wider world recognizes. Unit 74455 probably means nothing to you; yet if we write about Fancy Bear, Sandworm, APT28 or the GRU spy agency, you’ve probably got a better idea of who has done what.
There are good reasons threat intel companies don’t all adopt each other’s naming schemas (sometimes these groups of malicious people overlap, or often researchers from one outfit may find something that another company hasn’t observed) but these don’t make life much easier when everyone holds out as if they’re working in a vacuum.