U.S. state legislature, Middle Eastern gov’t targeted by espionage group through Log4j

A group of hackers have used the Log4j vulnerability to attack the legislature of a U.S. state, the government of a country in the Middle East, a multinational electronics manufacturer, and a hospital in South East Asia, according to a new report. 

Researchers with the Symantec Threat Hunter team published a report on Thursday outlining the latest campaign from the Budworm espionage group — hackers who have previously been tied to a government hacking group connected to the Chinese government. 

Symantec said this is the first time in several years that actors with Budworm have targeted a U.S.-based entity, making the recent campaign stand out. 

Dick O’Brien, principal intelligence analyst at Symantec, told The Record that the attack on the U.S. legislature took place in July of this year. 

“It's also interesting to see an attack by one of the more capable APT actors being directed at the state level,” O’Brien said. “Either something particularly interesting to them was happening in that state or they're being particularly granular in their intelligence gathering.”

The researchers found that in the most recent attacks, the hackers used the Log4j vulnerabilities – CVE-2021-44228 and CVE-2021-45105 – to compromise servers. Budworm actors also used the HyperBro malware family during attacks, a hallmark of Chinese government hackers with APT27. The hackers also used the PlugX/Korplug Trojan, another tool typically used by hackers based in China. 

O’Brien confirmed that Budworm is one of the names used to refer to APT27 hackers and that the general consensus is the group is based in China.

“Budworm is known for mounting ambitious attacks against high-value targets. While there were frequent reports of Budworm targeting U.S. organizations six to eight years ago, in more recent years the group’s activity appears to have been largely focused on Asia, the Middle East, and Europe,” the researchers said. 

“However this is the second time in recent months, Budworm has been linked to attacks against a U.S-based target. A recent CISA report on multiple APT groups attacking a defense sector organization mentioned Budworm’s toolset. A resumption of attacks against U.S.-based targets could signal a change in focus for the group.”

HyperBro’s use was highlighted by several U.S. agencies last week in an advisory about attacks on a defense company that gave multiple government hacking groups “long-term” access to the network.