Chinese hackers breached six state governments, researchers say

Below: Google’s buying Mandiant for $5.4 billion, and hackers breached natural gas firms before Russia’s Ukraine invasion. 

Chinese hackers used the log4j vulnerability to breach state websites

At least six state governments have been hacked by a notorious group linked to the Chinese government.

The hacking group cracked into the states’ computer systems during the past 13 months, stealing an untold amount of data, the cybersecurity firm Mandiant found. In some cases, the hackers used a devastating and widespread vulnerability dubbed log4j, according to the report out this morning. (Google announced this morning it’s buying Mandiant for $5.4 billion. More on that below). 

The disclosure of that bug caused such widespread panic last year — and such a rapid response by cyber defenders updating software to protect against it — that there are few other instances of major hacks that exploited it. In this case, however, the Chinese hackers moved even faster than the defenders, pivoting to begin exploiting the log4j bug “within hours” of when it was made public on Dec. 10, Mandiant found. 

That rapid turnaround underscores the immense volume of resources Chinese hacking groups are bringing to bear against underprotected and under-resourced victims in U.S. government and industry. 

The report is also a stark reminder that while U.S. officials are focusing intensely now on the dangers of Russian hacking tied to the war in Ukraine, China and other U.S. adversaries continue to run roughshod through U.S. computer systems collecting troves of sensitive data. 

“Even while things are happening in Ukraine, we can’t ignore other nation states,” Rufus Brown, Mandiant senior threat analyst, told me. “Nation state actors are going to continue every day to do their jobs collecting these things. They remain undeterred.”

Mandiant isn’t naming which state governments were compromised by the hackers. Though it identified six states that were victims, there are likely more, Brown said. And while the operation seems clearly aimed at gathering information to aid the Chinese government, it’s not clear precisely what information the hackers were after, Mandiant said. 

The hacking campaign was especially aggressive. Here are some highlights:

• The hackers cracked into at least three states’ computer systems using a previously unknown software vulnerability in an application called USAHerds, which states use to detect, track and prevent livestock disease outbreaks. Once they got in through that app, they were able to steal data that went far beyond livestock.
• “This was just the initial vector to gain a foothold,” Brown told me. “State governments have many different departments and agencies, and we don’t know enough to say what they were going after.”
• Those previously undiscovered vulnerabilities, known as “zero days,” can be particularly damaging because cyber defenders haven’t had any time to protect against them or make breaches less damaging. It’s also relatively rare that hackers will take the time to find and exploit such a new vulnerability because there’s almost always an easier way to get the job done.

The hacking group is also a curious one. 

• Mandiant, which has been tracking the group for years, calls it APT41, using a naming convention for government-backed hacking groups, which it calls “advanced persistent threats.” Other cybersecurity firms have identified what’s likely the same group with names including “Barium,” and “Wicked Panda.”
• The Justice Department indicted five members of the group in 2020 for hacking more than 100 U.S. companies including computer software and hardware firms, telecom providers, video game companies, universities and think tanks.
• Unlike most Chinese government-backed hacking groups, APT41 has a history of earning money on the side from its hacking schemes. Those efforts include launching ransomware attacks and hijacking victims’ computers to mine cryptocurrency.
• The indictment didn’t slow down the gang’s hacking efforts, Brown told me.

Google will buy cyber giant Mandiant for $5.4 billion

Mandiant announced the deal this morning, which would also mark a major transition for one of the biggest names in cybersecurity. Mandiant frequently publishes research on state-sponsored hackers from countries like China and Russia. 

The deal is a huge boon to Google’s cloud computing business, Reuters reports. Google’s cloud division generates about $19 billion annually
but still loses money, Google reports. 

The report comes almost a month after Bloomberg News reported that Microsoft was in talks to buy Mandiant. Both Microsoft and Google have significant cloud divisions. Microsoft pulled out of talks for the firm more than a week ago, Bloomberg News’s Nick Turner, Dina Bass, and Michelle F Davis report. Microsoft and Google declined to comment to Bloomberg News, and Mandiant didn’t respond to a request for comment from the outlet.

Mandiant is an industry powerhouse. The firm gained widespread recognition when it published a landmark report in 2013 about APT1, which was the most detailed public account of Chinese government-backed hacking at the time. Top cybersecurity companies now release such reports as part of their standard practices. FireEye bought Mandiant in 2013, but Mandiant became a separate company last year. FireEye has combined with McAfee Enterprise and formed the cybersecurity firm Trellix.

“Mandiant’s more than 600 consultants currently respond to thousands of security breaches each year” and are “paired with research from more than 300 intelligence analysts,” the company said in a news release.

Hackers breached more than 20 natural gas companies before Russia invaded Ukraine

The hacks targeted companies that produce liquefied natural gas (LNG) and involved compromising the digital credentials of more than 100 workers, the cybersecurity firm Resecurity found, Bloomberg News’s Jordan Robertson and Sergio Chapa report.

Some of the hackers involved in the campaign have been linked to Russian hacking groups by other cyber researchers, Resecurity said, but the firm stopped short of saying the attack was a Russian operation. Resecurity chief executive Gene Yoo said he thought state-sponsored hackers were behind the attacks, but he declined to further speculate.

“The motive of the operation isn’t known, but the timing coincides with broader changes in the energy industry that have been accelerated by Russia’s war,” Bloomberg News notes. 

Resecurity first spotted the hackers trying to buy user names and passwords for employees at major U.S. natural gas companies and offering to pay top dollar.

Russia, Belarus have launched phishing attacks aimed at Ukraine

Russian military hackers tried to trick Ukrainian citizens into handing over their credentials in the run-up to Russia’s invasion of the country, Google said. Belarus, meanwhile, has targeted both Ukrainians and the Polish military in phishing campaigns, Joseph Menn reports.

“Google’s Threat Analysis Group tracked the attempts and warned hundreds that they were being targeted by a government, the company said. It said it is not known if any of the attempts succeeded, since they were not aimed at Google’s email accounts,” Joseph writes.

The attacks from a Belarussian government-linked group called Ghostwriter all came within the past week, Joe reports. During the past two weeks, a Kremlin hacking group known as Fancy Bear has also launched large phishing campaigns against users of Ukr.net, a Ukrainian media organization, Google said.

Cloudflare is staying in Russia. It will also give U.S. utilities and hospitals free cybersecurity services.

Cloudflare, which helps protect companies against denial of service attacks, rejected calls to drop all of its Russian customers, saying that “Russia needs more Internet access, not less” and Russia’s government wants it to leave the country. 

Context: The move comes as several other tech firms have cut ties with Russia, many citing concerns about violating Western sanctions. Cloudflare says it isn’t taking on new Russian clients, two security sources told The Post. The company is reviewing its existing relationships on a case-by-case basis, a spokesperson said.

In other news: Cloudflare — along with CrowdStrike and Ping Identity — announced a plan to give four months of its services free to U.S. hospitals, as well as electricity and water utilities, Joseph reports. 

The goal is to ramp up cybersecurity protections for the most vulnerable sectors that are vital to everyday life. “It’s just hospitals, power an
d water right now,” Cloudflare CEO Matthew Prince told The Post. “We built the list in consultation with industry and government experts to protect the most vulnerable and currently underprotected sectors. We may expand to other sectors in the future if there’s need.”

• Bob Kolasky, a longtime Cybersecurity and Infrastructure Security Agency official who led the National Risk Management Center, is joining Exiger as senior vice president for critical infrastructure.
• Adele Merritt is the U.S. intelligence community’s new chief information officer.

• Top intelligence and law enforcement officials testify before the House Intelligence Committee on worldwide threats today at 10 a.m.
• CISA Executive Director Brandon Wales speaks at an Aspen Institute event today at 2 p.m.
• The Senate Intelligence Committee holds its worldwide threats hearing on Thursday at 10 a.m.
• U.S. Cyber Command holds its annual legal conference on Thursday at 10 a.m.
• CISA Executive Assistant Director Eric Goldstein speaks at a Billington Cybersecurity event on Thursday at noon.

Thanks for reading. See you tomorrow.