China-linked hackers target hundreds around the world

Hackers suspected of being backed by China have exploited a flaw in a popular email security tool to target hundreds of public and private sector organizations around the world, researchers at Google-owned Mandiant have found.

Why it matters: Almost a third of the targeted organizations are government agencies, including foreign ministries, according to the report, released Thursday.

• UNC4841, a group suspected of working on behalf of the Chinese government, is believed to have been exploiting the recently uncovered security flaw since at least October.

What's happening: Barracuda Networks started warning customers of a security flaw in its popular Email Security Gateway devices last month after receiving reports of unusual traffic crossing the systems.

• The flaw was more severe than most: Barracuda recently urged customers to completely rip out and replace any affected devices, rather than simply patching them.

Details: The Mandiant report provides some of the first insights into who is likely behind the attacks and what hackers might have been after.

• UNC4841 started sending emails as early as Oct. 10 that included malware-laced attachments designed to exploit vulnerable Barracuda devices.
• Once the group was inside an organization's networks, the hackers mostly focused on stealing data and using compromised devices to send more malicious emails to other targets.
• Even after Barracuda released its first patch last month, the hackers responded by deploying a new malware strain to maintain their access across "a number of victims located in at least 16 different countries," Mandiant said.

The big picture: 55% of all affected organizations are based in the Americas.

• Known victim organizations also include the ASEAN Ministry of Foreign Affairs, as well as trade offices and academic research organizations in Taiwan and Hong Kong.
• CISA also released an updated alert Thursday urging organizations to investigate signs of intrusion.

Be smart: Mandiant recommended all affected organizations replace the compromised devices and investigate their networks for any signs of the hackers on their systems.

Sign up for Axios’ cybersecurity newsletter Codebook here