Some of the attacks were made after hackers discovered encryption keys to USAHERDS, a software application used by 18 state governments. Once known, these same keys could work against every server running USAHERDS, Mandiant said, meaning that more than just these six states could have been impacted. According to WIRED, Mandiant says the software’s developer, Acclaim Systems, has since patched the vulnerability.
APT41: CYBER ESPIONAGE AND PERSONAL PROFIT
The hackers are a Chinese state-backed cyber espionage group with a history of targeting public- and private-sector organizations, Mandiant wrote. Mandiant labels this group APT41, and it’s likely the same group that other cybersecurity firms call “Barium” or “Wicked Panda,” according to the Washington Post.
Hackers appear to have conducted “extensive reconnaissance and credential harvesting,” and extracted personal identifiable information (PII), which could be desirable in a cyber spying campaign. But Mandiant also said it is too early to determine APT41’s objectives. The group has a track record of using attacks to both advance government spying and turn personal profit, making it difficult to pinpoint its goals.
USAHERDS, LOG4J AND MORE
The investigated attacks occurred between May 2021 and February 2022 and took several different forms. In several instances, hackers returned to re-target the same states they had already attacked, “demonstrating their unceasing desire to access state government networks,” Mandiant said.
In three 2021 instances, state systems were breached through a weakness in a livestock disease tracking application called USAHERDS. The attackers gained access by exploiting a zero-day vulnerability — a newly discovered weakness for which there was not yet a patch.
USAHERDS proved to be particularly risky because it was developed in a way so that the same encryption keys work on all installations of the tool, rather than each one having its own. This “is against the best practice of using uniquely generated machineKey values per application instance,” Mandiant says.
Once APT41 got the keys to compromise one instance of USAHERDS, “they were able to compromise any server on the Internet running USAHERDS,” Mandiant writes. “As a result, there are potentially additional unknown victims.”
Eighteen states use USAHERDS, according to the Mandiant post. WIRED reports that Mandiant informed the developer behind USAHERDS of the issue in late 2021 and that it has since been patched.