Cyber firm: At least 6 US state governments hacked by China

The report from Mandiant does not identify the compromised states or offer a motive for the intrusions, which began last May and continued through last month. But the Chinese group believed responsible for the breaches, APT41, is known to launch hacking operations both for old-fashioned espionage purposes and for financial gain.

“While the ongoing crisis in Ukraine has rightfully captured the world’s attention and the potential for Russian cyber threats are real, we must remember that other major threat actors around the world are continuing their operations as-usual,” said Geoff Ackerman, a principal threat analyst at Reston, Virginia-based Mandiant Inc.

He added in his statement: “We cannot allow other cyber activity to fall to the wayside, especially given our observations that this campaign from APT41, one of the most prolific threat actors around, continues to this day.”

State agencies remain ripe targets for hackers, even as the Biden administration has announced additional steps to safeguard federal government systems from hacking. That’s an especially urgent concern in light of the massive SolarWinds espionage campaign in which Russian intelligence operatives exploited supply chain vulnerabilities to break into the networks of at least nine U.S. agencies and dozens of private-sector companies.

In this case, the report says, the hackers exploited a previously unknown vulnerability in an off-the-shelf commercial application used by 18 states for animal health management. In addition, they exploited a software flaw known as Log4j that was discovered in December and that U.S. officials said was possibly present in hundreds of millions of devices. The hackers began exploiting the vulnerability within hours of an advisory that disclosed it to the public, using it to re-compromise two state government networks.

The hackers’ “persistence to gain access into government networks, exemplified by re-compromising previous victims and targeting multiple agencies within the same state, show that whatever they are after it is important,” Rufus Brown, a senior threat analyst at Mandiant, said in a statement. “We have found them everywhere, and that is unnerving.”

The report by Mandiant links the hacking to APT41, which was implicated in a 2020 Justice Department indictment that accused Chinese hackers of targeting more than 100 companies and institutions in the U.S. and abroad, including social media and video game companies, universities and telecommunications providers.

“Through all the new, some things remain unchanged: APT41 continues to be undeterred by the U.S. Department of Justice (DOJ) indictment in September 2020,” the report states.

The Chinese government in the past has denied U.S. accusations of hacking.

Mandiant is being acquired by Google in a deal worth $5.4 billion, the companies announced on Tuesday.