Chinese spies hacked a pet app to breach US government networks
The online software known as the Animal Health Emergency Reporting Diagnostic System, or USAHERDS, serves as a useful digital tool for state governments to track and trace animal diseases throughout livestock populations. Now it has turned out to be a kind of infection vector of its own – in the hands of one of China’s most prolific groups of hackers.
On Tuesday, cybersecurity response firm Mandiant revealed a long-running hacking campaign that breached at least six US state governments over the past year. Mandiant says the campaign, which it believes was the work of the notorious Chinese cyber espionage group APT41 — also known as Barium, or as part of the larger Chinese hacker group Winnti — used a vulnerability in USAHERDS to penetrate at least two of them. goal. It could have hit many more, given that 18 states run USAHERDS on web servers, and any of those servers could have been commandeered by the hackers.
APT41 has earned a reputation as one of China’s most aggressive hacking groups. The US Justice Department indicted five of its members in absentia in 2020, accusing them of hacking into hundreds of victims’ systems across Asia and the West, both for state-sponsored espionage and for profit. The group’s goals in this latest series of intrusions, or what data they may have sought, remain a mystery. But Mandiant analyst Rufus Brown says it still shows how active APT41 remains, and how inventive and thorough it has been in looking for any handle that might allow them to get into yet another set of targets — even an obscure livestock management tool for most Americans have never heard. of.
“It is very annoying to see this group everywhere“, says Brown. “APT41 goes after any remote-facing web application that can give them access to a network. Just very persistent, very continuous targeting.”
Late last year, Mandiant warned the developer of USAHERDS, a Pennsylvania-based company called Acclaim Systems, about a high-severity hackable flaw in the app. The app encrypts and signs the data sent between PCs and the server running it using keys that are meant to be unique to each installation. Instead, the keys were hardcoded into the application, meaning they were the same for every server running USAHERDS. That meant any hacker who learned the hardcoded key values — as Mandiant believes APT41 did during the reconnaissance of another previous victim’s network — could manipulate data sent from a user’s PC to the server to exploit another flaw in the code, allowing the hacker to run own code on the server as desired. Mandiant says Acclaim Systems has since patched the USAHERDS vulnerability. (WIRED reached out to Acclaim Systems but did not receive a response.)
USAHERDS is hardly the only web app APT41 appears to have hacked as a way into victims’ systems. Based on a series of incident response cases over the past year, Mandiant believes that since at least May 2021, the Chinese group has been targeting US state authorities by exploiting web applications that use a development framework called ASP.NET. Initially, the group appears to have used a vulnerability in two such web apps, which Mandiant declined to name, to hack into two US state governments. Each of these apps was used exclusively by one of the two government agencies, Mandiant says.
But the next month, and continuing until the end of 2021, Mandiant saw the hackers move on to USAHERDS as another way in. APT41 hacked USAHERDS first as a way into one of the two state governments it had already targeted, and then to breach a third. Mandiant has not confirmed that the same vulnerability was used to hack other victims. As of December, Mandiant found that APT41 went on to exploit the widely publicized vulnerability in Log4j, the widely used Apache logging framework, and used it to breach at least two other US state governments.