A Chinese state-sponsored hacking group successfully compromised the computer networks of at least six U.S. states between May 2021 and February 2022.
CNBC reported cybersecurity firm Mandiant’s findings that detail how the hackers employed by the Chinese government were able to exploit vulnerabilities in web applications used by these state governments to gain access to their networks.
The group that hacked the state networks is known as APT41. It is a state-sponsored espionage organization that takes advantage of flaws in software to exploit existing security vulnerabilities. The group is able to adapt its approach to hacking using different methods.
The Mandiant research said, “APT41’s recent activity against U.S. state governments consists of significant new capabilities, from new attack vectors to post-compromise tools and techniques.”
It continued, “APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability.”
The report from Mandiant said that this process is called “deserialization.”
Mandiant said, “APT41 has primarily used malicious ViewStates to trigger code execution against targeted web applications. Within the ASP.NET framework, ViewState is a method for storing the application’s page and control values in HTTP requests to and from the server. The ViewState is sent to the server with each HTTP request as a Base64 encoded string in a hidden form field. The web server decodes the string and applies additional transformations to the string so that it can be unpacked into data structures the server can use. This process is known as deserialization.”
Mandiant is not the first tech company to sound the alarms about the threat posed to American cyber sovereignty by APT41.
Researchers from BlackBerry have previously identified APT41 as “a prolific Chinese state-sponsored cyberthreat group.”
In the fall of 2020, the U.S. Department of Justice indicted five Chinese nationals for crimes related to computer intrusions that affected over 100 private companies in the U.S. and abroad. Some of those who were indicted were part of APT41.
Mandiant said on Tuesday that APT41 appeared “undeterred” by 2020 indictment and that the group’s goals remain “unknown.”
The Mandiant researchers said, “Overall goals of APT41’s campaign remain unknown. Their persistence to gain access into government networks, exemplified by re-compromising previous victims and targeting multiple agencies within the same state, show that whatever they are after it is important. We have found them everywhere, and that is unnerving.”
In February, FBI Director Christopher Wray accused the Chinese government of “trying to steal” information and technology. Wray extended the accusation to condemn the Chinese Communist Party for launching cyber attacks against Western corporations.
In 2021, the U.S., European Union, NATO, and other allied leaders blamed the Chinese government for directing and sponsoring a massive cyberattack on the Microsoft Exchange email servers.
Zhao Lijin, a spokesperson for China’s foreign ministry, denied that China was involved with in the cyber attack targeting the Microsoft Exchange.
Zhao said, in July 2021, “China firmly opposes and combats any form of cyberattacks, and will not encourage, support or condone any cyberattacks.”
The Mandiant report did not say which state governments were targeted by APT41.