The APT41 group compromised at least six U.S. state government networks between May and February in a “deliberate campaign” that reflects new attack vectors and retooling by the prolific Chinese state-sponsored group.
Researchers with Mandiant found that the group had compromised networks by exploiting vulnerable Internet-facing web applications, including the infamous Log4j flaw (CVE-2021-44228). In three incidents, the group also exploited a vulnerability (CVE-2021-44207) in a commercial application called USAHerds, an animal health emergency reporting system that is used by 18 states for responding to livestock-related incidents. Researchers said that the overall goals of APT41’s campaign remain unknown, although they did observe evidence of the group exfiltrating personal identifiable information (PII).
“APT41's recent activity against U.S. state governments consists of significant new capabilities, from new attack vectors to post-compromise tools and techniques,” said Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman and John Wolfram, researchers with Mandiant, in a Tuesday analysis. “APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability.”
While APT41 has previously performed mass scanning and exploitation of flaws, these campaigns were more targeted and persistent, with the group quickly adapting to publicly-disclosed vulnerabilities to gain initial access into target networks, said researchers. Within hours of the Apache Foundation’s security advisory for the Log4j flaw on Dec. 10, for instance, APT41 began to exploit the flaw in order to compromise at least two state governments, as well as their more traditional targets in the insurance and telecommunications industries.
In several cases, the group also re-compromised state government victims even after their initial attack was contained. For instance, after APT41 exploited a SQL injection flaw to compromise a state government network, Mandiant detected and contained the activity; however, two weeks later the group re-compromised the networks by exploiting the (at the time, previously-unknown) flaw in the USAHerds application.
Researchers also observed new malware variants and techniques used by the group. During the early stages of one state government intrusion, for instance, APT41 leveraged a new malware family that researchers called DustPan, an in-memory dropper that was used to drop a Cobalt Strike beacon backdoor. And after exploiting the Log4j flaw, APT41 deployed a new variant of the KeyPlug backdoor on Linux servers of multiple victims. KeyLog is a modular backdoor that supports multiple network protocols for command and control (C2), including HTTP, TCP, KCP over UDP and WSS.
“APT41 heavily used the Windows version of the KEYPLUG backdoor at state government victims between June 2021 and December 2021, thus the deployment of a ported version of the backdoor closely following the state government campaign was significant,” said researchers.
“A preference for utilizing web exploits to target public-facing web applications, along with the ability to quickly shift targets based on available capabilities indicates that APT41 continues to pose a significant threat to public and private organizations alike around the world."
Researchers also observed APT41 substantially increasing their usage of Cloudflare services for C2 communications and data exfiltration, including the use of Cloudflare Workers to deploy serverless code and proxy C2 traffic to APT41-operated infrastructure. Researchers said that they notified Cloudflare of the malicious activity, and the company has since disrupted communications to the malicious infrastructure.
APT41 also leveraged several post-exploitation tools that were previously part of their arsenal; including an obfuscated binary called BadPotato for local privilege escalation and credential harvesting, as well as leveraging the existing DeadEye malware and LowKey backdoor with added anti-analysis capabilities.
APT41 has been responsible for a high volume of attacks worldwide in the more than 10 years that it has been active, with previous campaigns being centered around espionage as well as financial motivations. While five alleged members of the group were charged by the Department of Justice in 2020, Mandiant researchers said that this recent activity reveals that the group has been undeterred by the indictment.
“A preference for utilizing web exploits to target public-facing web applications, along with the ability to quickly shift targets based on available capabilities indicates that APT41 continues to pose a significant threat to public and private organizations alike around the world,” said Geoff Ackerman, principal threat analyst with Mandiant.
On Tuesday, the Google Threat Analysis Group (TAG) issued a warning that they detected a phishing campaign by China-linked espionage group APT31 targeting “high-profile Gmail users affiliated with the U.S. government” in February. Both incidents highlight the security threats that China-linked APTs continue to pose to U.S. organizations, particularly for government agencies. A recent Annual Threat Intelligence report by the Office of the Director of National Intelligence assessed that China “presents the broadest, most active and persistent cyber espionage threat” to U.S. government and private sector networks.
“China’s cyber pursuits and export of related technologies increase the threats of attacks against the U.S. homeland, suppression of U.S. web content that Beijing views as threatening to its control, and the expansion of technology-driven authoritarianism globally,” according to the report. “China almost certainly is capable of launching cyber attacks that would disrupt critical infrastructure services within the United States, including against oil and gas pipelines and rail systems.”