Chinese government-backed hackers broke into at least six U.S. state government computer systems over the past year in an operation “consistent with espionage,” a new report revealed Tuesday.
Cybersecurity firm Mandiant uncovered evidence showing that Chinese hacking group “APT41” had successfully breached six U.S. state government networks between May 2021 and February 2022 by exploiting vulnerable internet applications. The hackers even returned to two U.S. state governments for a second round of hacking as recent as late February 2022.
Mandiant described APT41 as “a prolific Chinese state-sponsored espionage group known to target organizations in both the public and private sectors and also conducts financially motivated activity for personal gain.”
“The goals of this campaign are currently unknown, though Mandiant has observed evidence of APT41 exfiltrating Personal Identifiable Information (PII),” which is “consistent with an espionage operation,” Mandiant said.
APT41 isn’t a new hacking group and neither are its methods. However, Mandiant identified that APT41 used “significant new capabilities” in its latest attacks against the U.S. state governments.
“APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability,” Mandiant said. “The group also demonstrates a willingness to retool and deploy capabilities through new attack vectors as opposed to holding onto them for future use.”
In September 2020, the U.S. Department of Justice charged five Chinese nationals and two Malaysian nationals from the APT41 group for a massive hacking scheme of more than 100 companies. One of the Chinese hackers called himself “very close” to China’s Ministry of State Security, Deputy Attorney General Jeffrey Rosen said at the time.
“APT41 continues to be undeterred by the U.S. Department of Justice (DOJ) indictment in September 2020,” Mandiant said in its report.
The DOJ and FBI had worked with Microsoft, Google, Facebook, Verizon, and three other partners in 2020 to “identify and neutralize” the servers, malware, domains, and other hacking tools used by APT41.
In March 2020, cybersecurity company FireEye said it observed APT41 conducting “one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years.”