APT41 spies uses animal-tracking software to hack into state networks

Chinese hackers manage to access United States networks using a tracking app

APT41 hacked six US government networks using animal tracking app

APT41 hits at least 6 US state networks using Log4j and zero-day bugs in the US Herds animal-tracking software. Cybersecurity company Mandiant reported suspicious behavior by APT41 cybercrime group from China. Experts found out that spy group has been prying upon vulnerable apps that were often written in ASP.NET.^[1]

Between May 2021 and February 2022, the spy and hacking group APT41 has been scheming to gain access to state networks. In this case, cybercriminals used a zero-day vulnerability in an app called USAHerds. This app is used by 18 states across the whole US for animal health management.^[2]

Experts from Mandiant point out that spies from APT41 have been exploiting Log4Shell vulnerability. This exploit could have been happening since at least December 2021. Spy gang conducted .NET deserialization attacks as well as exploited SQL injection and directory traversal vulnerabilities. They used various new techniques too.

SQL attacks are especially nasty as they allow attackers to insert malicious objects into a web app and interfere with an application’s queries to its database. Using it, hackers gain easy access to the state networks and their information. However, in this case, the group’s target of USAHerd and their original goal remains a mystery.

Various new scheming techniques

With this recent hit, the Chinese spy group has used a wide variety of new techniques and methods. These new capabilities, like new attack vectors and post-compromise tools, could be seen as a huge potential danger in the future. Especially, as the group seems to be blending together their power and new tricks.

.NET deserialization attacks, SQL injections, directory traversal vulnerabilities, zero-day attacks, and bugs were all used simultaneously.^[3] It goes even further as experts say that criminals customized malware to specific victim organizations’ environments and hid its command and control (C2) address in encoded data on tech community forums.

Mandiant researchers believe that APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector. Another way is to simply use a fresh vulnerability. The hackers seem to always be evolving and are quick on their feet to retool and use new techniques in a brand new attack.^[4]

Who is ATP41, and what do they want?

APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.^[5] The group attacked numerous US state governments and targets from the US, France, Australia, the United Kingdom, and Chile, Asian countries over the past several years.

With successful attacks on national-level sites, these types of crimes become even more popular. Researchers point out that another group of criminals with a seemingly similar style, called TA416 is also on the rise. However, experts believe that the used tactics are distinct enough to be sure that groups do not work together, nor do they plan to.

These attacks become a prime example of the rise of cybercrime and the weakness of personal and business devices. With state and national level attacks, security and additional safeguarding become the primary goal. It is especially urgent concerning the amount of sensitive information state-level agencies are working with.