THE WEB-BASED SOFTWARE known as the Animal Health Emergency Reporting Diagnostic System, or USAHERDS, serves as a helpful digital tool for state governments to track and trace animal diseases through populations of livestock. Now it's turned out to be a kind of infection vector of its own—in the hands of one of China's most prolific groups of hackers.
On Tuesday, the cybersecurity incident-response firm Mandiant revealed a long-running hacking campaign that breached at least six US state governments over the past year. Mandiant says the campaign, which it believes to have been the work of the notorious Chinese cyberespionage group APT41—also known as Barium, or as a part of the larger Chinese hacker group Winnti—used a vulnerability in USAHERDS to penetrate at least two of those targets. It may have hit many more, given that 18 states run USAHERDS on web servers, and any of those servers could have been commandeered by the hackers.
APT41 has gained a reputation as one of China's most aggressive hacking groups. The US Department of Justice indicted five of its members in absentia in 2020 and accused them of hacking into hundreds of victims' systems across Asia and the West, both for state-sponsored espionage and for profit. The group’s goal in this latest series of intrusions, or what data they may have been seeking, remains a mystery. But Mandiant analyst Rufus Brown says that it nonetheless shows just how active APT41 remains, and how inventive and thorough it's been in searching for any toehold that might allow them into yet another set of targets—even an obscure livestock management tool most Americans have never heard of.
“It's very unnerving to see this group everywhere,” says Brown. “APT41 is going after any external-facing web application that can give them access to a network. Just very persistent, very continuous targeting.”
Late last year, Mandiant warned the developer of USAHERDS, a Pennsylvania-based company called Acclaim Systems, of a high-severity hackable bug in the app. The app encrypts and signs the data sent between PCs and the server running it using keys that are meant to be unique to every installation. Instead, the keys were hard-coded into the application, meaning they were the same for every server that ran USAHERDS. That meant that any hacker who learned the hard-coded key values—as Mandiant believes APT41 did during its reconnaissance of another, earlier victim's network—could manipulate data sent from a user's PC to the server to exploit another bug in its code, allowing the hacker to run their own code on the server at will. Mandiant says Acclaim Systems has since patched the USAHERDS vulnerability.
USAHERDS is hardly the only web app APT41 appears to have hacked as a way into its victims' systems. Based on a series of incident-response cases over the past year, Mandiant believes that the Chinese group has since at least May 2021 been targeting US state governments by exploiting web applications that use a development framework called ASP.NET. At first, the group appears to have used a vulnerability in two such web apps, which Mandiant declined to name, to hack into two US state governments. Each of those apps was used solely by one of the two state agencies, Mandiant says.
But the next month, and continuing through the end of 2021, Mandiant saw the hackers move on to target USAHERDS as another means of entry. APT41 hacked USAHERDS first as a way into one of the two state governments it had already targeted, and then to breach a third. Mandiant hasn't confirmed that the same vulnerability was used to hack any other victims. Starting in December, Mandiant found that APT41 moved on to exploiting the widely publicized vulnerability in Log4j, the commonly used Apache logging framework, using it to breach at least two other US state governments.
Mandiant nonetheless chose to reveal the exploitation of USAHERDS in the two earlier breaches due to the broad use of the app across state governments, the severity of the bug, and the likelihood that it was also used to quietly penetrate other state networks. "There are 18 states that use USAHERDS. If you're APT41, why not exploit all of them?" says Mandiant's Brown. "We don't know how broad this is. We just really want to get the information out there."
Once it had access to a server on a target network, APT41 would advance using relatively common "credential harvesting" tools, such as the Mimikatz technique of accessing passwords in a machine's memory and then using them to gain access to other computers on the network. It then planted backdoor code in victim computers that allowed it broad, ongoing access to the state governments' networks. The group used malware and infrastructure that Mandiant says it clearly recognized as that of APT41, including tools with names like KEYPLUG, DEADEYE, and DUSTPAN.
The half-dozen US state governments that Mandiant has highlighted join a massive list of APT41's targets over the past several years, from the US, France, Australia, the United Kingdom, and Chile to a dozen Asian countries. The group, which the Department of Justice has linked to a Chengdu, China-based company called Chengdu 404 Network Technology, has carried out an unusual mix of espionage-focused hacking—seemingly in the service of the Chinese government—and for-profit hacking, from stealing virtual video game currency to ransomware.
But APT41 may be most remarkable for its inventive approaches to gaining access to large numbers of target networks, which are often far more unique and stealthy than the simple phishing or password-spraying used by some groups. Over several years, for instance, the group carried out a series of software supply chain hijacking operations, gaining access to software developers' systems to plant their code in legitimate applications like the software updates of laptop maker Asus, the hard-drive cleanup tool CCleaner, and Netsarang, a Korean-made enterprise remote management tool.
The group's more recent targeting of niche web applications like USAHERDS represents another example of its relatively arcane methods. "They're very creative," says Brown. "They have high operational capability to really perform these large-scale campaigns."
The lesson for developers, it seems, is that no app is too obscure to be a target for a determined adversary. Your code may just be designed for monitoring cows. But that doesn't mean state-sponsored cyberspies aren't monitoring your code.