Extensive Chinese cyber espionage campaign uncovered
A malicious attacker hacked organizations in 16 countries of strategic interest to China.
On June 15, 2023, cybersecurity firm Mandiant revealed a vast cyberespionage operation, attributed to the People’s Republic of China (PRC), affecting numerous organizations worldwide. It exploited a weakness in Email Security Gateway (ESG), a set of email protection tools from Barracuda.
On May 23, 2023, the latter revealed the existence of a zero-day flaw in these applications. Mandiant then helped analyze the malicious campaign exploiting this weakness. The first elements date back to early autumn 2022 in China. But the large-scale compromises began on October 10, 2022, when a wave of infected e-mails was sent to strategic organizations in 16 countries.
Researchers attribute these attacks to a yet unidentified malicious actor, dubbed UNC4841, most likely linked to RPC. The flaw made it possible to pass off malware as legitimate ESG modules or services. UNC4841 was thus able to exfiltrate data and, in some cases, send e-mails or perform a lateral move to take control of the targeted server.
From May 21, 2023, Barracuda deployed containment and remediation patches to « eradicate UNC4841 from affected devices« . Cybercriminals then attempted to maintain access, notably via high-frequency operations. On June 15, 2023, Barracuda warned of the persistence of « evidence of malicious activity » in some infected systems.
According to Mandiant, 55% of the organizations targeted belong to the « Americas » zone, 24% to the « Europe, Africa and Middle East » zone and 22% to the « Asia-Pacific » zone. A third of these organizations are government agencies.
According to the report, the campaign clearly had geopolitical intentions. In particular, the researchers identified shell scripts that « targeted email domains and users in the foreign ministries of ASEAN (Association of Southeast Asian Nations) countries, as well as foreign trade offices and academic research organizations in Taiwan and Hong Kong« , states the report.
The attacks also « targeted e-mail accounts belonging to people working for a government of political or strategic interest to the PRC, at the very time when this victim government was participating in high-level diplomatic meetings with other countries« , adds Mandiant. For confidentiality reasons, the report does not disclose any of the victims.
« Although Mandiant has not attributed this activity to any previously known threat group to date, we have identified several infrastructure and malware code overlaps that allow us to state with certainty that this is a China-linked espionage operation, » the researchers conclude.