Jun 16, 2023 - Technology

China-linked hackers target hundreds around the world

Illustration of the flag of China as a chart with the stars creating a ripple effect

Illustration: Sarah Grillo/Axios

Hackers suspected of being backed by China have exploited a flaw in a popular email security tool to target hundreds of public and private sector organizations around the world, researchers at Google-owned Mandiant have found.

Why it matters: Almost a third of the targeted organizations are government agencies, including foreign ministries, according to the report, released Thursday.

  • UNC4841, a group suspected of working on behalf of the Chinese government, is believed to have been exploiting the recently uncovered security flaw since at least October.

What's happening: Barracuda Networks started warning customers of a security flaw in its popular Email Security Gateway devices last month after receiving reports of unusual traffic crossing the systems.

Details: The Mandiant report provides some of the first insights into who is likely behind the attacks and what hackers might have been after.

  • UNC4841 started sending emails as early as Oct. 10 that included malware-laced attachments designed to exploit vulnerable Barracuda devices.
  • Once the group was inside an organization's networks, the hackers mostly focused on stealing data and using compromised devices to send more malicious emails to other targets.
  • Even after Barracuda released its first patch last month, the hackers responded by deploying a new malware strain to maintain their access across "a number of victims located in at least 16 different countries," Mandiant said.

The big picture: 55% of all affected organizations are based in the Americas.

  • Known victim organizations also include the ASEAN Ministry of Foreign Affairs, as well as trade offices and academic research organizations in Taiwan and Hong Kong.
  • CISA also released an updated alert Thursday urging organizations to investigate signs of intrusion.

Be smart: Mandiant recommended all affected organizations replace the compromised devices and investigate their networks for any signs of the hackers on their systems.

Sign up for Axios’ cybersecurity newsletter Codebook here

Go deeper