Suspected state-affiliated hackers from China utilized a security vulnerability in a widely used email security device to infiltrate the networks of numerous public and private sector organizations globally, including nearly a third of government agencies, including foreign ministries, according to the cybersecurity firm Mandiant. On Thursday, Charles Carmakal, Mandiant’s chief technical officer, stated in an email that “This is the most extensive cyber espionage campaign attributed to a China-linked threat actor since the widespread exploitation of Microsoft Exchange in early 2021.”
That breach compromised tens of thousands of computers on a global scale.
In a blog post on Thursday, Mandiant, owned by Google, expressed “high confidence” that the group responsible for exploiting a software vulnerability in Barracuda Networks’ Email Security Gateway was engaged in “espionage activity in support of the People’s Republic of China.”
The activity is believed to have started as early as October. The hackers sent emails with malicious file attachments to gain unauthorized access to targeted organizations’ devices and data, according to Mandiant.
Of the organizations affected, 55% were from the Americas, 22% from the Asia Pacific region, and 24% from Europe, the Middle East, and Africa. This included foreign ministries in Southeast Asia, foreign trade offices, and academic organizations in Taiwan and Hong Kong, Mandiant reported.
Mandiant noted that the concentration of impact in the Americas could partly be due to the geographic distribution of Barracuda’s customer base.
On June 6, Barracuda announced that some of its email security appliances had been compromised since October, providing the intruders with unauthorized access to compromised networks.
The severity of the breach led the California-based company to recommend complete replacement of the affected appliances.
Following its discovery in mid-May, Barracuda released containment and remediation patches. However, the hacking group, identified as UNC4841 by Mandiant, modified their malware to maintain access.
The group then “responded with frequent operations targeting victims in at least 16 different countries.”
The breach coincided with US Secretary of State Antony Blinken’s upcoming visit to China, as part of the Biden administration’s efforts to mend deteriorating relations between Washington and Beijing. The trip had been originally scheduled for earlier this year but was indefinitely postponed following the discovery and interception of what the US claimed was a Chinese espionage balloon over the United States.
Mandiant stated that the targeting, both at the organizational and individual account levels, focused on issues that held significant policy priorities for China, particularly in the Asia Pacific region.
According to Mandiant, the hackers searched for email accounts belonging to individuals working for governments of political or strategic interest to China, especially during diplomatic meetings with other countries.
In a statement on Thursday, Barracuda mentioned that approximately 5% of its active Email Security Gateway appliances worldwide exhibited signs of potential compromise. The company stated that it was providing affected customers with replacement appliances at no cost.
The US government has accused Beijing of being its primary cyber espionage threat, with state-affiliated Chinese hackers involved in data theft from both private and public sectors.
In terms of intelligence impacting the US, China’s most significant infiltrations have targeted OPM, Anthem, Equifax, and Marriott.
Earlier this year, Microsoft disclosed that state-affiliated Chinese hackers had been targeting critical US infrastructure, potentially laying the groundwork for disrupting critical communications between the US and Asia during future crises.
China has accused the US of engaging in cyber espionage against it, alleging hacking into the computers of its universities and companies.