China-linked hackers target hundreds around the world
Hackers suspected of being backed by China have exploited a flaw in a popular email security tool to target hundreds of public and private sector organizations around the world, researchers at Google-owned Mandiant have found.
Why it matters: Almost a third of the targeted organizations are government agencies, including foreign ministries, according to the report, released Thursday.
- UNC4841, a group suspected of working on behalf of the Chinese government, is believed to have been exploiting the recently uncovered security flaw since at least October.
What's happening: Barracuda Networks started warning customers of a security flaw in its popular Email Security Gateway devices last month after receiving reports of unusual traffic crossing the systems.
- The flaw was more severe than most: Barracuda recently urged customers to completely rip out and replace any affected devices, rather than simply patching them.
Details: The Mandiant report provides some of the first insights into who is likely behind the attacks and what hackers might have been after.
- UNC4841 started sending emails as early as Oct. 10 that included malware-laced attachments designed to exploit vulnerable Barracuda devices.
- Once the group was inside an organization's networks, the hackers mostly focused on stealing data and using compromised devices to send more malicious emails to other targets.
- Even after Barracuda released its first patch last month, the hackers responded by deploying a new malware strain to maintain their access across "a number of victims located in at least 16 different countries," Mandiant said.
The big picture: 55% of all affected organizations are based in the Americas.
- Known victim organizations also include the ASEAN Ministry of Foreign Affairs, as well as trade offices and academic research organizations in Taiwan and Hong Kong.
- CISA also released an updated alert Thursday urging organizations to investigate signs of intrusion.
Be smart: Mandiant recommended all affected organizations replace the compromised devices and investigate their networks for any signs of the hackers on their systems.
Sign up for Axios’ cybersecurity newsletter Codebook here