Security Experts:

Connect with us

Hi, what are you looking for?



U.S. State Governments Targeted by Chinese Hackers via Zero-Day in Agriculture Tool

A threat group believed to be sponsored by the Chinese government has breached the networks of U.S. state governments, including through the exploitation of a zero-day vulnerability.

A threat group believed to be sponsored by the Chinese government has breached the networks of U.S. state governments, including through the exploitation of a zero-day vulnerability.

In a blog post published on Tuesday, cybersecurity research and incident response company Mandiant said it became aware of the campaign in May 2021, when it was called in to investigate an attack on a U.S. state government network.

An analysis revealed that the attack had likely been carried out by a Chinese state-sponsored threat group known as APT41, Barium, Winnti, Double Dragon, Wicked Panda, and various other names. This prolific threat actor has conducted both cyberespionage operations and financially-motivated attacks, and is known for its sophisticated tools and techniques.

Mandiant has confirmed that the hackers have compromised the networks of at least six U.S. state government organizations between May 2021 and February 2022. The precise goal of the campaign remains unknown, but the fact that the attackers target governments and steal personal information suggests espionage.

The company’s investigation uncovered the use of new techniques, malware, evasion methods and capabilities.

In the first two attacks observed by Mandiant, the attackers exploited a proprietary .NET web application that was exposed to the internet. In one case, after being kicked out of a network, the hackers returned two weeks later by exploiting a zero-day vulnerability in USAHerds (Animal Health Emergency Reporting Diagnostic System), a commercial application used by the Department of Agriculture in 18 U.S. states for animal health management.

The threat actor apparently discovered an easy-to-exploit zero-day flaw that enabled it to gain access to victim networks.

The USAHerds vulnerability, described as a hardcoded credentials issue and tracked as CVE-2021-44207, was patched in November 2021. However, based on information from Mandiant, it has been exploited since at least June 2021 by APT41.

According to Mandiant, CVE-2021-44207 has been exploited in attacks against at least two U.S. government organizations. In more recent attacks, the hackers also exploited the notorious Log4Shell vulnerability, which they started leveraging just hours after its existence was made public.

Mandiant said the USAHerds security hole is similar to CVE-2020-0688, a Microsoft Exchange vulnerability that has also been exploited in the wild.

In the case of USAHerds, all installations shared the same machineKey values instead of using uniquely generated values for each instance of the application.

“Mandiant did not identify how APT41 originally obtained the machineKey values for USAHerds; however once APT41 obtained the machineKey for USAHerds, they were able to compromise any server on the Internet running USAHerds. As a result, there are potentially additional unknown victims,” the cybersecurity firm said.

In the campaign monitored by Mandiant, the cyberspies delivered a piece of malware named Dustpan (StealthVector by Trend Micro), which they used to drop a Cobalt Strike Beacon backdoor. The group also tailored its malware to the victim’s environment.

The company’s researchers also noticed that APT41 has “substantially increased” usage of Cloudflare services for command and control (C&C) communications and data exfiltration.

In 2020, the United States Department of Justice announced charges against several alleged members of APT41 for attacks aimed at more than 100 companies in the U.S. and other countries. The charges announced at the time do not appear to have deterred the group.

Related: China’s APT41 Exploited Citrix, Cisco, ManageEngine Flaws in Global Campaign

Related: Researchers Attribute Airline Cyberattack to Chinese Hackers

Related: More Details Emerge on Operations, Members of Chinese Group APT41

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.