China’s APT41 exploited Log4j within hours

The Chinese advanced persistent threat (APT) actor tracked variously as APT41, Barium, Wicked Panda/Spider or Bronze Atlas was actively compromising victims via the Log4Shell vulnerability in Apache Log4j immediately after its disclosure in December 2021, according to research conducted by Mandiant’s analysts.

Mandiant, which earlier this week was bought by Google Cloud, revealed that APT41 broke into at least six state government networks in the US over a nine-month period, using both Log4j and another vulnerability in USAHerds (a government livestock health application) in a campaign exploiting vulnerable web apps facing the public internet.

APT41’s exploitation of Log4j began within hours of the initial 10 December 2021 advisory, when they used it to compromise two government bodies, as well as against other targets in the insurance and telecoms sectors.

Moreover, within the past fortnight, APT41 has re-compromised two of the campaign’s previous victims. Investigations into these breaches are ongoing, but Mandiant said it was clear APT41 is moving quickly to change up its initial access techniques, and is apparently unfazed by indictments against its members issued by the American authorities last year.

Mandiant principal threat analyst Geoff Ackerman said that while the cyber community’s attention was captured by the ongoing war in Ukraine, its latest disclosure showed that it is business as usual for other major threat actors.

“We cannot allow other cyber activity to fall to the wayside, especially given our observations that this campaign from APT41 – one of the most prolific threat actors around – continues to this day,” said Ackerman.

“APT41 is truly a persistent threat, and this recent campaign is another reminder that state level systems in the United States are under unrelenting pressure from nation-state actors like China, as well as Russia.

“However, while this latest campaign has deliberately targeted the US, APT41’s use of the zero-day vulnerability in Log4j demonstrates their continued interest in more traditionally targeted regions, like southeast Asia.

“A preference for utilising web exploits to target public-facing web applications, along with the ability to quickly shift targets based on available capabilities indicates that APT41 continues to pose,” he added.

Aubrey Perin, lead nation-state threat intelligence analyst at Qualys, said that recent cyber history has shown that the Chinese government is deeply concerned with knowing as much as it possibly can at all times.

“Their belief system around information being a public domain differs with the United States’ notion of Intellectual Property. As long as China is not spying for the sake of harming others, it is on brand for them to be poking about in ways that come to fruition in instances such as these,” he said.

“One of the most concerning pieces that points to the sophistication and immense volume of resources at state actors’ disposal was China’s ability to infiltrate two states using the internet-shaking Log4j flaws mere hours following CISA’s advisory.”

In emailed comments, Perin told Computer Weekly that, based on Qualys’ own research capabilities, while many organisations were swift and responsive to the Log4j disclosures, up to 30% of existing Log4j instances are still at risk. He said those that were still ignoring the vulnerability were effectively “hitting the snooze button”.