It appears the hackers working for the Chinese government were ‘not solely conducting conventional espionage campaigns,’ a Proofpoint researcher says.
Hackers working on behalf of China’s government were likely seeking intellectual property in the widespread attacks targeting customers of Barracuda’s Email Security Gateway, in addition to conducting espionage, a Proofpoint researcher said.
Last week, Mandiant attributed the cyberattack campaign with “high confidence” to an espionage-focused group working for the Chinese government, which the incident response firm is tracking as UNC4841.
In comments provided to CRN by email, Michael Raggi, a threat researcher at cybersecurity vendor Proofpoint, said there are indicators the attackers had other motives, as well.
“Based on the victimology of numerous victims across eight months of phishing campaigns, we believe that UNC4841 was not solely conducting conventional espionage campaigns,” Raggi said in the email comments.
“Targeting academic and government institutions that conduct research aligned with key strategic sectors included in the Made in China 2025 directive may indicate that there was an intellectual property theft component to these campaigns,” he said. “We observed targeting in four of 10 key sectors included in the Made in China 2025 state issued directive.”
In its Made in China 2025 strategy, initially unveiled in 2015, China’s government identified its priority industries going forward, particularly in cutting-edge areas of science and technology. Cybersecurity experts have suggested the strategy can serve as a guide for the types of IP that hackers working for China will target most frequently.
In a tweet, Proofpoint researchers said that “targeting [in the Barracuda attacks] focused on scientific research institutions in the US government & academia to include theoretical mathematics, applied physics, public health, nuclear science, & the study of animals.”
The attacks, which have leveraged a critical vulnerability in the on-premises appliances that has now been patched, prompted the unusual recommendation from Barracuda that affected customers should actually replace their Email Security Gateway devices.
Mandiant, which is owned by Google Cloud, was hired by Barracuda to investigate the incident.
“Through the investigation, Mandiant identified a suspected China-nexus actor, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to utilize as a vector for espionage, spanning a multitude of regions and sectors,” Mandiant researchers said in a blog post.
The researchers noted that nearly a third of affected organizations have been government agencies, “supporting the assessment that the campaign had an espionage motivation.”
Barracuda has said that the vulnerability was discovered May 19, and the company deployed a patch “to all ESG appliances worldwide” the following day. A second patch was deployed May 21 to all Email Security Gateway appliances.
Campbell, Calif.-based Barracuda initially disclosed the breach May 24. Further investigation from the company and Mandiant uncovered evidence that the vulnerability had been exploited as far back as October 2022, the company said in an updated disclosure June 1.
Barracuda has said it believes 5 percent of active ESG appliances were compromised by attackers but hasn’t specified the total number of customers that were impacted.
Barracuda’s Email Security Gateway is a product used by on-premises customers for filtering of all email traffic, both inbound and outbound. The appliance, which is cloud-connected, is often used to protect Microsoft Exchange environments.