Image: Irham Setyaki via Unsplash/Photomosh
Image: Irham Setyaki via Unsplash/Photomosh

Chinese hackers accused of using Barracuda bug against federal, local US agencies

Chinese hackers used a recently patched vulnerability in security products from Barracuda Networks to conduct attacks against dozens of government organizations across the U.S. and Asia, according to a new report.

Researchers from cybersecurity firm Mandiant said on Tuesday that one primary group, which they call UNC4841, is behind a significant amount of the exploitation of a vulnerability — tagged as CVE-2023-2868 — in Barracuda’s Email Security Gateway (ESG) appliance.

The attackers spent more than eight months abusing that bug in attacks on a wide range of victims, Mandiant said.

Barracuda patched the vulnerability in May, but it quickly became apparent that state-backed hackers had spent months exploiting it to gain widespread access to government organizations across the U.S. and other countries. The company eventually sent an urgent notice telling customers to immediately decommission and replace all instances of the technology.

Mandiant, which is owned by Google, worked with Barracuda, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and several Australian cybersecurity agencies on the response to the campaign.

While there are several operational overlaps with past campaigns from Chinese government hackers, Mandiant said it has “not attributed activity tracked as UNC4841 to a previously known threat actor.” The advisory notes that several government agencies have also attributed the campaign to threat actors connected to Beijing’s government.

The campaign began in October 2022 and largely ended in June 2023, “with an initial surge of CVE-2023-2868 exploitation activity occurring in early November 2022.”

Mandiant noted that even as remediation efforts kicked into high gear in May, the group adapted, deploying “new and novel malware designed to maintain presence at a small subset of high priority targets that it compromised either before the patch was released, or shortly following Barracuda’s remediation guidance.”

Based on the new malware and backdoors deployed against victims, Mandiant believes the hackers anticipated and prepared for remediation efforts, creating solutions that would allow them to keep their access to several high-value targets.

Targets across the world

Most targets Mandiant has seen are in North America, which is where many of Barracuda’s customers are located.

“Notably, among North American identified affected organizations, there were numerous state, provincial, county, tribal, city, and town offices that were targeted in this campaign. These organizations included municipal offices, law enforcement offices, judiciaries of varying levels, social service offices, and several incorporated towns,” Mandiant said.

“While overall local government targeting comprises just under seven percent of all identified affected organizations, this statistic increases to nearly seventeen percent when compared to U.S.-based targeting alone. In some instances, targeted entities had populations below 10,000 individuals. Local government targeting occurred mostly in the initial months of CVE-2023-2868 exploitation, with the majority of observed compromises beginning from October through December 2022.”

As the group’s priorities have shifted, the number of U.S. local government organizations impacted by the group’s activity has fallen to 8% of observed impacted organizations.

In addition to government organizations, the hackers targeted tech companies, telecoms, manufacturing firms, colleges and universities, Mandiant said. The healthcare, biotechnology, public health, aerospace, defense, and semiconductor industries were also targeted.

As noted in a June advisory, Mandiant found several attacks targeting the Ministry of Foreign Affairs for the Association of Southeast Asian Nations (ASEAN) as well as organizations in Taiwan and Hong Kong. The hackers typically went after specific email accounts for people who are of strategic importance to China’s government while they were taking part in high-level diplomatic meetings with other countries.

“A distinct prioritization of government agencies alongside high tech and information technology targets was also observed when examining UNC4841 tools deployed following Barracuda’s patching and initial disclosure of CVE-2023-2868,” the company said.

“These factors support the assessment that the campaign had an espionage motivation.”

Mandiant urged victims to contact Barracuda and CISA if they discover they were compromised.

Skipjack, Depthcharge, Foxglove and Foxtrot

As soon as remediation efforts began on May 22, the hackers deployed several new malware families that Mandiant calls Skipjack, Depthcharge, Foxglove and Foxtrot. The hackers also used a new version of Seaspy, a malware strain recently highlighted by CISA in an advisory.

“This was followed by a second, previously undisclosed wave, that began in early June 2023. In this second wave, Mandiant discovered the actor attempting to maintain access to compromised environments via the deployment of the new malware families SKIPJACK, DEPTHCHARGE, and FOXTROT/FOXGLOVE,” Mandiant explained.

“This second surge represented the highest intensity of UNC4841 activity identified by Mandiant across the entire campaign, demonstrating UNC4841’s determination in preserving access to specific victim environments.”

Mandiant noted that the organizations on which UNC4841 used these malware strains were typically national governments and technology firms like IT and managed service providers. The hackers targeted “sectors that are key to global governments maintaining a competitive technological and economic edge in the face of impending strategic state deadlines.”

Skipjack is a passive backdoor that allows hackers to watch for specific inbound email headers and subjects. It was deployed on about 6% of all compromised ESG appliances — mostly targeted at government and technology organizations.

Depthcharge stood out to Mandiant because it is common practice for victims to export the configurations they had on compromised devices onto clean ones. With Depthcharge hidden on compromised devices, hackers could maintain their access on the new devices. Depthcharge was deployed on about 2.5% of all compromised appliances, including U.S. government entities and other governments.

Mandiant and Barracuda observed instances where this occurred and notified victims. This malware deployed selectively on “high-value” targets, indicating to Mandiant experts that “despite this operation's global coverage, it was not opportunistic, and that UNC4841 had adequate planning and funding to anticipate and prepare for contingencies that could potentially disrupt their access to target networks.”

Foxtrot/Foxglove allowed the hackers to conduct several other actions including capturing keystrokes. It was the only malware seen in this campaign that could be used on other devices for lateral movement and credential theft. It was also the most selectively used malware — only deployed on government organizations “that were high priority targets for the PRC.”

The hackers used several other methods to maintain their access, including moving to other devices on the victim network.

The earliest compromises were seen at organizations in China, but Mandiant noted that after the initial compromises from October to December, there was a distinct falloff in activity from January 20-22 — which coincides with the Chinese New Year.

Mandiant noted that since the patch for ESG appliances was released on May 20, it has not seen evidence of new compromises using CVE-2023-2868 beyond the initial 5% that were attacked.

The Barracuda campaign was evidence, according to Mandiant, that Chinese cyber-espionage tactics are evolving to “more purposeful, stealthy, and effective operations that avoid detection and complicate attribution.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.