How Beijing’s hackers compromised US government networks in six states by exploiting a flaw in a cattle-counting system

A Chinese government-sponsored cyber spying group reportedly compromised multiple computer networks in six U.S. states by exploiting a dangerous vulnerability in a counting system for the livestock industry as part of an escalation in cyberattacks against public and private organizations in the West.

According to Mandiant researchers, hackers from APT41 or Double Dragon, one of China’s most dangerous hacking groups, exploited a zero-day vulnerability in USAHerds, an application used by agriculture officials to track the health and density of cattle in the U.S.

After exploiting the flaw, hackers deployed a malware variant for Windows, forcing a system restart periodically as a scheduled task to ensure the persistence of the malware on the system.

Rufus Brown, a researcher at Mandiant, said: “APT41 has focused primarily on state government networks in the U.S., and also in some areas of South Asia.” The expert mentions that attackers resort to all kinds of hacking variants, including SQL injections, deserialization attacks, and even the exploitation of the dangerous vulnerability in Log4j.

In his report, Mandiant acknowledges that there is still little information about the potential objectives that this campaign pursues, so the investigation will continue ongoing until the specialists have more conclusive information.

On the other hand, a Report by Proofpoint published an investigation into a hacking group identified as TA416, a completely different operation to APT41: “We believe that the tactics used by both actors are very different and we see no parallels between these groups,” says Proofpoint threat director Sherrod DeGrippo.

According to the report, this group has been exploiting some security flaws to deliver malicious URLs and install plugX malware payloads. The researchers mention that TA416 is responsible for a campaign directed against government and diplomatic entities in Europe, which began a couple of weeks ago with Russia’s military invasion of Ukraine.

TA416 delivers PlugX’s malicious payload using emails with links to a Dropbox profile much like a campaign detected in 2014 using the same remote access Trojan (RAT).

These campaigns are still active, so affected researchers and organizations are still looking for the best ways to prevent further security incidents in the near future.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.