China-sponsored hackers compromise six U.S. state gov’t networks, cybersecurity firm says

China-sponsored hackers compromised at least six U.S. state government networks and stole personally identifiable information, according to cybersecurity firm Mandiant.

The goals of compromising the state networks are unclear. Mandiant said it discovered the hacking campaign by APT41 exploiting USAHerds, an animal health emergency reporting diagnostic system, and leveraging the open-source logging platform Apache Log4J.

The cybersecurity firm declined to disclose which six states were affected in the hacks it observed between May 2021 and February 2022.

Mandiant principal threat analyst Van Ta said data specific to USAHerds was not the objective and the vulnerability in USAHerds was used by the hackers to get a foothold into other digital environments.

“After establishing an entryway, we observed APT41 pivoting into other parts of the network,” Mr. Ta said in a statement. “While we were unable to uncover specifically what they were after, state governments track a wealth of data about their constituents that would be valuable targets for espionage threat actors as well as threat actors seeking personal financial gain; we have seen APT41 conduct operations for both ends in the past.”

Mandiant said it did not see evidence that APT41 conducted a destructive or disruptive attack alongside its breach of state networks, which the firm viewed as consistent with the hacking group’s previous actions.

APT41 is a cyber-espionage operator aligned with China’s economic development plans, according to Mandiant’s 2019 analysis of the advanced persistent threat group.

The hackers have historically targeted organizations in the health care, high-tech and telecommunications sectors.

“APT41 operations against higher education, travel services, and news/media firms provide some indication that the group also tracks individuals and conducts surveillance,” reads Mandiant’s 2019 analysis. “For example, the group has repeatedly targeted call record information at telecom companies. In another instance, APT41 targeted a hotel’s reservation systems ahead of Chinese officials staying there, suggesting the group was tasked to reconnoiter the facility for security reasons.”

In addition to its breach of state networks that were first observed last year, Mandiant said APT41 used the Log4J breach to hit targets in the insurance and telecommunications sectors.

The massive number of potential victims of hacks caused by the Log4J vulnerability has sounded alarms within the Biden administration. The federal government tasked the Cyber Safety Review Board established last year with investigating the Log4J hack.

The cyber board is modeled on the National Transportation Safety Board, which studies accidents in the transportation sector and makes recommendations for how the government and private sector should respond.