Mandiant researchers tracked APT41’s malicious campaign up until last month

U.S. President Joe Biden speaks virtually with Chinese leader Xi Jinping, November 15, 2021. Photo: REUTERS/Jonathan Ernst

Prolific threat group APT41, who is allegedly state-sponsored by China, has managed to breach at least six US government networks between May 2021 and February 2022. Mandiant researchers, who disclosed the breach in a report published this week, said the hackers exploited web application, SQL injection and directory traversal vulnerabilities, as well as zero-day vulnerabilities - including the infamous Log4j.

Mandiant describes APT41 as a “prolific Chinese state-sponsored espionage group known to target organizations in both the public and private sectors,” as well as conduct financial motivated activity for personal gain.

In its comprehensive 2019 report titled “APT41, a Dual Espionage and Cyber Crime Operation,” FireEye Threat Intelligence discussed the group’s history since 2014 and its vast targeting of companies from healthcare through travel services to virtual currencies (Mandiant was owned by FireEye at the time).

The group – also known as (or associated with) Double Dragon, Wicked Panda, Wicked Spider, Barium, Winnti and others – is quick on its feet. Mere hours after the Apache Foundation released the first Log4j advisory, on December 10th 2021, APT41 “began exploiting the vulnerability to later compromise at least two US state governments as well as their more traditional targets in the insurance and telecommunications industries.”

Mandiant’s investigation also revealed at the group re-compromised two previous US state government victims in late February 2022, representing ‘a continuation of their campaign into 2022 and demonstrating their unceasing desire to access state government networks.”

The report also warns of the “significant new capabilities” the group holds, from new attack vectors to post-compromise tools and techniques. The group “continues to leverage advanced tradecraft to remain persistent and undetected.”

In 2019 and 2020, the US Department of Justice (DoJ) indicted seven Chinese nationals, assumed to be APT41 actors, on charges in connection with computer intrusion campaigns against over 100 victims around the world. Some of the charges, which also include arrest warrants, amount to 20 years behind bars. Yet, the Mandiant researchers note that the group “continues to be undeterred by the indictment.”

All the organizations Mandiant discovered were targeted by the hackers have been notified.