Chinese hackers targeted government entities and thwarted recovery efforts, report says
The cybercrime group evaded remediation efforts by installing persistent backdoors and deploying “new and novel malware.”
A Chinese-linked hacking group that security researchers say disproportionately targeted government organizations in a recent global cyberattack deployed persistent methods to circumvent recovery efforts, according to a report released Tuesday.
The cybersecurity firm Mandiant reported that the eight-month global espionage campaign was believed to have been carried out by UNC4841, a cybercriminal organization working in support of the Chinese government.
The group leveraged a critical vulnerability found in an email security tool developed by the security company Barracuda Networks to gain remote access to hundreds of organizations across the public and private sectors, including government entities, information technology firms, academic and financial institutions, defense companies and more.
Nearly a third of the victims impacted by the mass-exploit were government organizations, the report said, noting that "a limited number of previously impacted victims remain at risk due to this campaign."
Mandiant found that the cybercriminals deployed additional malware onto victims' appliances after establishing remote access as part of an effort to evade remediation efforts. The report said that the group set up persistent backdoors that may allow hackers to maintain a presence on some networks without being detected.
Last week, the FBI warned in an advisory that all of Barracuda Network's exploited Email Security Gateway appliances remain at risk for continued network compromise — "even those with patches pushed out by Barracuda," the Flash advisory said. The bureau has launched an investigation into the mass exploit, and the Cybersecurity and Infrastructure Security Agency has released malware analysis on backdoors the threat group leveraged throughout its campaign.
The exploit leveraged in the espionage campaign was patched on May 20, and both Mandiant and Barracuda have not identified successful exploitations "resulting in any newly compromised physical or virtual ESG appliances,” according to the report.
Erich Kron, security awareness advocate for the security software firm KnowBe4, told Nextgov/FCW that potential victims should monitor their network traffic "with the focus on trying to identify potential command and control channels" that can allow hackers to control compromised systems.
"In this case, a more disturbing part is that even devices that were patched remained vulnerable and were still being compromised," Kron said. "Trying to find and remediate potential backdoors scattered across systems can be a very challenging issue for organizations."