Suspected state-backed Chinese hackers used a security hole in a popular email security appliance to break into the networks of hundreds of public and private sector organizations globally, nearly a third of them government agencies including foreign ministries, the cybersecurity firm Mandiant said Thursday.
“This is the broadest cyber espionage campaign known to be conducted by a China-nexus threat actor since the mass exploitation of Microsoft Exchange in early 2021,” Charles Carmakal, Mandiant’s chief technical officer, said in a emailed statement. That hack compromised tens of thousands of computers globally.
Mark Schiefelbein, Associated Press
Attendees walk past an electronic display showing cyberattacks in China at the China Internet Security Conference in Beijing, on Sept. 12, 2017. Hackers linked to China were likely behind recent attacks that affected public and private organizations globally.
In a blog post Thursday, Google-owned Mandiant expressed “high confidence” that the group exploiting a software vulnerability in Barracuda Networks’ Email Security Gateway was engaged in “espionage activity in support of the People’s Republic of China.” It said the activivity began as early as October.
The hackers sent emails containing malicious file attachments to gain access to targeted organizations’ devices and data, Mandiant said. Of those organizations, 55% were from the Americas, 22% from Asia Pacific and 24% from Europe, the Middle East and Africa and they included foreign ministries in Southeast Asia, foreign trade offices and academic organizations in Taiwan and Hong Kong. the company said.
Mandiant said the majority impact in the Americas may partially reflect the geography of Barracuda’s customer base.
Barracuda announced on June 6 that some of its its email security appliances had been hacked as early as October, giving the intruders a back door into compromised networks. The hack was so severe the California company recommended fully replacing the appliances.
After discovering it in mid-May, Barracuda released containment and remediation patches but the hacking group, which Mandiant identifies as UNC4841, altered their malware to try to maintain access, Mandiant said. The group then “countered with high frequency operations targeting a number of victims located in at least 16 different countries.”
Word of the breach as U.S. Secretary of State Antony Blinken departs for China this weekend as part of the Biden administration’s push to repair deteriorating ties between Washington and Beijing.
His visit had initially been planned for early this year but was postponed indefinitely after the discovery and shootdown of what the U.S. said was a Chinese spy balloon over the United States.
Mandiant said the targeting at both the organizational and individual account levels, focused on issues that are high policy priorities for China, particularly in the Asia Pacific region. It said the hackers searched for email accounts of people working for governments of political or strategic interest to China at the time they were participating in diplomatic meetings with other countries.
In a emailed statement Thursday, Barracuda said about 5% of its active Email Security Gateway appliances worldwide showed evidence of potential compromise. It said it was providing replacement appliances to affected customers at no cost.
The U.S. government has accused Beijing of being its principal cyberespionage threat, with state-backed Chinese hackers stealing data from both the private and public sector.
In terms of raw intelligence affecting the U.S., China’s largest electronic infiltrations have targeted OPM, Anthem, Equifax and Marriott.
Earlier this year, Microsoft said state-backed Chinese hackers have been targeting U.S. critical infrastructure and could be laying the technical groundwork for the potential disruption of critical communications between the U.S. and Asia during future crises.
China says the U.S. also engages in cyberespionage against it, hacking into computers of its universities and companies.
-
Chinese spies breached hundreds of public, private networks, security firm says
Virrage Images // Shutterstock
A number of major cyberattacks have entered the public consciousness in the past decade, with several major consumer data breaches since 2015 leaving millions of victims—high-profile financial companies, retail chains, social media sites and even the Democratic National Convention—in their wake. But who or what actors are behind these cyber attacks?
Twingate collected information from official and expert industry sources about the groups responsible for major cyberattacks.Â
The U.S. government, including the Justice Department and GSA, the Council on Foreign Relations think tank, and other prominent sources have given the American public context for some of the world's most important hacker collectives, or Advanced Persistent Threat groups. All of these groups are believed to be state-sponsored, whether by China, Russia, Iran, North Korea or the U.S. Most APTs hack their targets to find and steal information; but some groups are also hacking to extort money or steal cryptocurrencies from their targets. Some teams use custom-made cyber scripts to break into computer networks, while others rely on classic hacking tactics, such as phishing and social engineering.
Virrage Images // Shutterstock
A number of major cyberattacks have entered the public consciousness in the past decade, with several major consumer data breaches since 2015 leaving millions of victims—high-profile financial companies, retail chains, social media sites and even the Democratic National Convention—in their wake. But who or what actors are behind these cyber attacks?
Twingate collected information from official and expert industry sources about the groups responsible for major cyberattacks.Â
The U.S. government, including the Justice Department and GSA, the Council on Foreign Relations think tank, and other prominent sources have given the American public context for some of the world's most important hacker collectives, or Advanced Persistent Threat groups. All of these groups are believed to be state-sponsored, whether by China, Russia, Iran, North Korea or the U.S. Most APTs hack their targets to find and steal information; but some groups are also hacking to extort money or steal cryptocurrencies from their targets. Some teams use custom-made cyber scripts to break into computer networks, while others rely on classic hacking tactics, such as phishing and social engineering.
-
Chinese spies breached hundreds of public, private networks, security firm says
Anelo // Shutterstock
The GSA categorizes APT 29, or Cozy Bear, as a state-sponsored group based in Eastern Europe and Russia. The group targets European and other Western governments and organizations. Cozy Bear hackers like to lurk on existing networks, making fake traffic that its members can conceal as legitimate. From there, exploiting those networks is much easier. APT 29 members are adept at using social media sites or cloud storage as ways to share instructions via clever means like corrupted image files.
Anelo // Shutterstock
The GSA categorizes APT 29, or Cozy Bear, as a state-sponsored group based in Eastern Europe and Russia. The group targets European and other Western governments and organizations. Cozy Bear hackers like to lurk on existing networks, making fake traffic that its members can conceal as legitimate. From there, exploiting those networks is much easier. APT 29 members are adept at using social media sites or cloud storage as ways to share instructions via clever means like corrupted image files.
-
-
Chinese spies breached hundreds of public, private networks, security firm says
Sean Gallup // Getty Images
CFR categorizes APT 28, or Fancy Bear and other names, as a group sponsored by Russia with targets around the world. APT 28's hackers target disparate groups in the government, military, and private sectors. Their suspected targets include the World Anti-Doping Agency and the International Association of Athletics Federations. Russia's team was banned from international athletics for years after a 2019 WADA ruling, but clean-testing Russian athletes were allowed to continue competing under an international flag. Russia has repeatedly tussled with these anti-doping organizations, accusing them of banning Russian athletes at Washington's behest. In October 2018, the Justice Department indicted several individuals in Russia it alleged were members of a Russian military intelligence unit on multiple charges, including hacking the WADA.
Sean Gallup // Getty Images
CFR categorizes APT 28, or Fancy Bear and other names, as a group sponsored by Russia with targets around the world. APT 28's hackers target disparate groups in the government, military, and private sectors. Their suspected targets include the World Anti-Doping Agency and the International Association of Athletics Federations. Russia's team was banned from international athletics for years after a 2019 WADA ruling, but clean-testing Russian athletes were allowed to continue competing under an international flag. Russia has repeatedly tussled with these anti-doping organizations, accusing them of banning Russian athletes at Washington's behest. In October 2018, the Justice Department indicted several individuals in Russia it alleged were members of a Russian military intelligence unit on multiple charges, including hacking the WADA.
-
Chinese spies breached hundreds of public, private networks, security firm says
DC Studio // Shutterstock
The GSA categorizes APT 14, or Anchor Panda, as a state-sponsored group based in East Asia. APT 14 targets governments, communications, construction, and engineering firms with large-scale brute force attacks. A brute force attack is when, for example, a hacker tries to force a user's password by attempting every possible combination. These hackers may also do some social engineering by seeking clues like the user's pets' names, family names, and other guessable facts to narrow down their brute force password search.
The GSA says Anchor Panda specializes in trying to find and steal data, like spreadsheets and reports, as well as the confidential specifications of government or defense equipment for the benefit of the Chinese military.
DC Studio // Shutterstock
The GSA categorizes APT 14, or Anchor Panda, as a state-sponsored group based in East Asia. APT 14 targets governments, communications, construction, and engineering firms with large-scale brute force attacks. A brute force attack is when, for example, a hacker tries to force a user's password by attempting every possible combination. These hackers may also do some social engineering by seeking clues like the user's pets' names, family names, and other guessable facts to narrow down their brute force password search.
The GSA says Anchor Panda specializes in trying to find and steal data, like spreadsheets and reports, as well as the confidential specifications of government or defense equipment for the benefit of the Chinese military.
-
-
Chinese spies breached hundreds of public, private networks, security firm says
Canva
The CFR categorizes Equation Group as a state-sponsored group likely linked to the U.S. intelligence community or its Five Eyes allies (U.K., Canada, Australia, and New Zealand). The group was discovered by researchers at Moscow-based anti-virus maker Kaspersky Lab and is believed to date back to 2001. Although Kaspersky Lab stopped short of directly implicating U.S. intelligence agencies, it claimed that Equation Group targeted more than 500 organizations and programs worldwide; and that its targets included foreign governments, militaries, and media organizations. Equation Group's long history and rich target list make it one of the world's most sophisticated presumedly-state-directed or sponsored hacking groups.
Canva
The CFR categorizes Equation Group as a state-sponsored group likely linked to the U.S. intelligence community or its Five Eyes allies (U.K., Canada, Australia, and New Zealand). The group was discovered by researchers at Moscow-based anti-virus maker Kaspersky Lab and is believed to date back to 2001. Although Kaspersky Lab stopped short of directly implicating U.S. intelligence agencies, it claimed that Equation Group targeted more than 500 organizations and programs worldwide; and that its targets included foreign governments, militaries, and media organizations. Equation Group's long history and rich target list make it one of the world's most sophisticated presumedly-state-directed or sponsored hacking groups.
-
Chinese spies breached hundreds of public, private networks, security firm says
Gorodenkoff // Shutterstock
APT 41, also known as Double Dragon, is a state-sponsored hacking group based in China whose members are wanted by the FBI. Mandiant shares that APT 41 is unusual, partly because of the financial aspect of its state-sponsored activities. Although many other hacking groups may use ransomware and other kinds of attacks that seek to extort or steal money as a major goal, such cyber piracy or privateering is less common among more sophisticated groups that target governments and militaries. It's usually easier for hackers to find and exploit smaller or localized targets that are likely to have access to money—while also having relatively lax network security—than to go after adversary governments.
Gorodenkoff // Shutterstock
APT 41, also known as Double Dragon, is a state-sponsored hacking group based in China whose members are wanted by the FBI. Mandiant shares that APT 41 is unusual, partly because of the financial aspect of its state-sponsored activities. Although many other hacking groups may use ransomware and other kinds of attacks that seek to extort or steal money as a major goal, such cyber piracy or privateering is less common among more sophisticated groups that target governments and militaries. It's usually easier for hackers to find and exploit smaller or localized targets that are likely to have access to money—while also having relatively lax network security—than to go after adversary governments.
-
-
Chinese spies breached hundreds of public, private networks, security firm says
Andrey_Popov // Shutterstock
APT 33, or Elfin, is believed by cybersecurity firm Mandiant to be a state-sponsored group based in Iran. The group's activities reportedly date back to at least 2013. It has targeted the neighboring Kingdom of Saudi Arabia as well as democratic nations such as South Korea and the U.S. APT 33 is known to rely on phishing and spyware, which form a potent combination in the world of information security. Employees at victimized firms may click on links in phishing messages that, in turn, install spyware that monitors activities on and creates vulnerabilities in their networks.
Andrey_Popov // Shutterstock
APT 33, or Elfin, is believed by cybersecurity firm Mandiant to be a state-sponsored group based in Iran. The group's activities reportedly date back to at least 2013. It has targeted the neighboring Kingdom of Saudi Arabia as well as democratic nations such as South Korea and the U.S. APT 33 is known to rely on phishing and spyware, which form a potent combination in the world of information security. Employees at victimized firms may click on links in phishing messages that, in turn, install spyware that monitors activities on and creates vulnerabilities in their networks.
-
Chinese spies breached hundreds of public, private networks, security firm says
husjur02 // Shutterstock
APT 35, or Charming Kitten, is a state-sponsored group based in Iran. The CFR reports the group's activities are believed to date back to at least 2014, following the defection of a former U.S. Air Force intelligence officer to Iran. The officer, Monica Elfriede Witt, has since been indicted for espionage, with the Justice Department alleging she cooperated with the four state-directed Iranian hackers named in the DOJ indictment. Witt is accused of providing the Iranian hackers with details enabling them to target her former colleagues in the U.S. intelligence community. One of the hackers named in the Witt indictment, Behzad Mesri, was also charged with targeting HBO in a ransomware attempt.
APT 35 relies primarily on social engineering, which is an umbrella term for forms of attack like calling and imitating a targeted victim's bank in order to request their account information. In addition to the Witt-linked attempts at social engineering, APT 35 has reportedly targeted academics who study Iran, as well as several U.S.-allied governments in the Middle East.
husjur02 // Shutterstock
APT 35, or Charming Kitten, is a state-sponsored group based in Iran. The CFR reports the group's activities are believed to date back to at least 2014, following the defection of a former U.S. Air Force intelligence officer to Iran. The officer, Monica Elfriede Witt, has since been indicted for espionage, with the Justice Department alleging she cooperated with the four state-directed Iranian hackers named in the DOJ indictment. Witt is accused of providing the Iranian hackers with details enabling them to target her former colleagues in the U.S. intelligence community. One of the hackers named in the Witt indictment, Behzad Mesri, was also charged with targeting HBO in a ransomware attempt.
APT 35 relies primarily on social engineering, which is an umbrella term for forms of attack like calling and imitating a targeted victim's bank in order to request their account information. In addition to the Witt-linked attempts at social engineering, APT 35 has reportedly targeted academics who study Iran, as well as several U.S.-allied governments in the Middle East.
-
-
Chinese spies breached hundreds of public, private networks, security firm says
Ivanova Ksenia // Shutterstock
The CFR categorizes APT 37, or Reaper, as a state-sponsored group acting in the interest of North Korea. Once described as the Hermit Kingdom, North Korea's internet usage has increased 300% over the last several years. The New York Times reports that restrictions on internet access do not apply to North Korean elites associated with the government or the nation's highly restricted universities. The Justice Department indicted three North Korean hackers in 2021, alleging they attacked Sony Pictures, crypto exchanges and banks in multiple countries.
This story originally appeared on Twingate and was produced and distributed in partnership with Stacker Studio.
Ivanova Ksenia // Shutterstock
The CFR categorizes APT 37, or Reaper, as a state-sponsored group acting in the interest of North Korea. Once described as the Hermit Kingdom, North Korea's internet usage has increased 300% over the last several years. The New York Times reports that restrictions on internet access do not apply to North Korean elites associated with the government or the nation's highly restricted universities. The Justice Department indicted three North Korean hackers in 2021, alleging they attacked Sony Pictures, crypto exchanges and banks in multiple countries.
This story originally appeared on Twingate and was produced and distributed in partnership with Stacker Studio.
