Chinese state-sponsored hackers have successfully breached the networks of at least six U.S. state governments since May 2021, cybersecurity researchers reported.
The researchers at Mandiant on March 8 reported on "a persistent months-long campaign conducted by APT41 using vulnerable Internet facing web applications as their initial foothold into networks of interest."
APT41 is a Chinese state-sponsored espionage group "known to target organizations in both the public and private sectors and also conducts financially motivated activity for personal gain," the report noted.
APT41 compromised at least six U.S. state government networks "by exploiting vulnerable Internet facing web applications, including using a zero-day vulnerability in the USAHerds application (CVE-2021-44207) as well as the now infamous zero-day in Log4j (CVE-2021-44228). While the overall goals of APT41's campaign remain unknown, our investigations into each of these intrusions has revealed a variety of new techniques, malware variants, evasion methods, and capabilities," the report said.
Mandiant, which does not name the affected states, said the Chinese hackers exploited a previously unknown vulnerability in a commercial web application used for animal health management in 18 American states.
The hackers also reportedly exploited a software flaw discovered in December which American officials previously said was likely present in hundreds of millions of devices.
Between May 2021 and February 2022, Mandiant reported that APT41 successfully compromised the state government networks "through the exploitation of vulnerable Internet facing web applications, often written in ASP.NET. In most of the web application compromises, APT41 conducted .NET deserialization attacks; however, we have also observed APT41 exploiting SQL injection and directory traversal vulnerabilities."
In a March 11 op-ed for the Washington Examiner, Dan Lips, head of policy at the Lincoln Network, noted: "Between 2018 and 2020, nearly 250 government organizations were victimized by ransomware attacks. This cost them as much as $50 billion. Beyond the financial costs, these attacks can disrupt key government services, including public safety, and also put sensitive data at risk."
According to the National Conference of State Legislatures, 45 states considered cybersecurity bills last year.
"Common themes of this legislative activity were requiring cybersecurity training for state employees, establishing and enforcing new security guidelines, and planning for cyber incidents," Lips noted. "Several states also established new laws aimed to address ransomware threats. Indiana passed a measure to require state and local government agencies to report cyber incidents to the state’s Office of Technology. North Carolina established a law that prohibits state and local government agencies from paying ransoms in the event of a breach."
This year, Florida state lawmakers "are considering legislation that could become a model for how states can improve cyber risk management, including by establishing security standards for local governments," Lips wrote.
The bill would require new rules for state and local governments to report cyber incidents as well as after-action reports to the state. By 2025, all county and municipal governments would be required to adopt and implement cybersecurity best practices based on federal and state guidelines. The bill recently passed the state House of Representatives with overwhelming support.
About . . . . Intelligence . . . . Membership