Within hours of the Log4j flaw being revealed, these hackers were using it

Cybersecurity researchers at Mandiant detail a hacking campaign designed to gain persistent access to networks.
Written by Danny Palmer, Senior Writer

A prolific and likely state-backed hacking group repeatedly targeted several US state governments by using software vulnerabilities in web applications and then later scanning for Log4j vulnerabilities within hours of the vulnerability coming to light in order to maintain their access.  

Cybersecurity researchers at Mandiant have detailed how APT41, a state-sponsored cyber-espionage and hacking group working out of China compromised at least six US government networks, as well as other organisations, sometimes repeatedly, between May 2021 and February 2022. 

The US Department of Justice indicted APT41 hackers in September 2020, but it doesn't appear to have had an impact on the persistent nature of the attacks. 

SEE: Cybersecurity: Let's get tactical (ZDNet special report)

According to analysis of the attacks, many of the initial compromises came in June 2021 by targeting insecure web applications. 

Then in December 2021, a zero-day vulnerability in the widely used Java logging library Apache Log4j was disclosed, and the researchers at Mandiant say APT41 began exploiting the Log4j vulnerability almost immediately.

"Within hours of the advisory, APT41 began exploiting the vulnerability to later compromise at least two U.S. state governments as well as their more traditional targets in the insurance and telecommunications industries," Mandiant said.

While a patch was released when the vulnerability was disclosed, the ubiquitous nature of Log4j means that many organisations did not know it was part of their tech infrastructure.

No matter which vulnerability was being used, once inside the networks, APT41 tailored malware to the victim's environment in order to make the attacks as effective as possible. When a new vulnerability that could be exploited appeared, the attackers didn't abandon their previous compromise, but rather exploited the new vulnerability to gain additional persistence on the network. 

While the focus of the campaign was around compromising US government networks, APT41 attacks also targeted other industries, including insurance and telecommunications. 

It's still uncertain what the overall goals of this particular APT41 campaign is because these hackers also often dabble in moonlighting for their own personal gain.  

"APT41's recent activity against U.S. state governments consists of significant new capabilities, from new attack vectors to post-compromise tools and techniques. APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability," the report said. 

This recent campaign is another reminder that state level systems in the US are under pressure from nation-state actors like China, as well as Russia, said Geoff Ackerman, principal threat analyst at Mandiant. 

"A preference for utilizing web exploits to target public-facing web applications, along with the ability to quickly shift targets based on available capabilities indicates that APT41 continues to pose a significant threat to public and private organizations alike around the world," he added. 

State-backed hacking groups, as well as cyber criminals, are quick to exploit unpatched vulnerabilities. One of the key things that organisations can do in an effort to avoid falling victim to attacks exploiting software vulnerabilities is to apply any patches or security updates as quickly as possible


Editorial standards