Google-owned cybersecurity firm Mandiant has announced that it suspects the involvement of a China-linked group of being involved in targeting a subset of Barracuda’s email security gateway (ESG) appliances.
Earlier in May, Barracuda said attackers were exploiting a critical vulnerability CVE-2023-2868 in its ESG appliances to install three types of malware, Saltwater, SeaSpy and SeaSide. All three attempted to masquerade as legitimate Barracuda ESG modules or services.
ESG products are essentially firewalls used by on-premises customers for filtering both inbound and outbound email traffic. The firm issued patches on the following day.
Barracuda, which has more than 200,000 corporate customers, again prompted an unusual recommendation last week to "fully replace" affected ESG appliances, stating a failure in the patch.
Mandiant said it has identified the suspected China-nexus actor, currently tracked as UNC4841, as the group targeting a subset of Barracuda ESG appliances to utilise them as a vector for espionage, spanning a multitude of regions and sectors.
"Mandiant assesses with high confidence that UNC4841 conducted espionage activity in support of the People’s Republic of China," it added.
Cyber espionage
Mandiant Consulting, Google Cloud, CTO, Charles Carmakal, said: "This is the broadest cyber espionage campaign known to be conducted by a China-nexus threat actor since the mass exploitation of Microsoft Exchange in early 2021.
"In the Barracuda instance, the threat actor compromised email security appliances of hundreds of organisations. For a subset of victims, they stole the emails of prominent employees dealing in matters of interest to the Chinese government."
Mandiant said UNC4841 conducted "high-frequency operations" targeting a number of victims located in at least 16 different countries. The mass exploitation has impacted organisations across public and private sectors, with almost a third being government agencies, the report said.
“Mandiant and Barracuda observed UNC4841 aggressively target specific data of interest for exfiltration, and in some cases, leverage access to an ESG appliance to conduct lateral movement into the victim network, or to send mail to other victim appliances,” the report stated.
Roughly one-fourth of the identified impacted organisations targeted by UNC4841 were government agencies, Mandiant said.
ASEAN targeted
This included the Ministry of Foreign Affairs (MFAs) of ASEAN, as well as foreign trade offices and academic research organisations in various places, like Hong Kong, Mandiant said.
"A majority of exploitation activity appears to impact the Americas, but Mandiant notes that may partially reflect Barracuda’s product customer base,” it added
"UNC4841 was observed searching for email accounts belonging to individuals working for a government with political or strategic interest to China while this victim government was participating in high-level, diplomatic meetings with other countries," Mandiant added.
In Mandiant's latest guidance, the company has warned customers to replace compromised ESG appliances, regardless of firmware version or patch level due to the threat actor's persistence for "continued operations" and "ability to move laterally" from the ESG appliance.
It has also published a list of compromise indicators and has produced a detailed Architecture Hardening guide to aid organisations affected by this event.
Liu Pengyu, a spokesperson for the Chinese Embassy in Washington DC, said the allegations that the Chinese government supports hacking are “completely distorting the truth.”
Pengyu also accused the US government of violating international law by carrying out similar espionage activities, without providing evidence for the claims.
