China has reportedly focused its efforts on compromising email servers within several American government networks, raising concerns about potential data exploitation. According to findings from Mandiant, a state-sponsored criminal group targeted the Barracuda Email Security Gateway (ESG) between October and December 2022, deploying two variations of malware.
The ramifications of these cyberattacks involving the Barracuda email system are presently under investigation, with their full extent yet to be unveiled. However, suspicions point to UNC4841, an intelligence group believed to be backed by Beijing, as the orchestrator of the incident. This group is thought to have introduced the SeaSpy and Saltwater malware into approximately 5% of all Barracuda appliances.
The primary objective of the attack seems to be the extraction of sensitive information from high-ranking government officials in North America. In response, Barracuda has released an update addressing the Zero-Day vulnerability in ESG appliances. Those who have fallen victim to the attack or suspect a potential data breach are strongly advised to promptly replace their appliances. Additionally, affected parties are recommended to rotate their enterprise Active Directory (AD) credentials in order to bolster network defenses against potential future incursions.
In a parallel investigation, the Cybersecurity and Infrastructure Security Agency (CISA) disclosed that the same Chinese group was responsible for unleashing the Submarine and Whirlpool malware across a number of high-value targets.
Austin Larsen, Senior Incident Response Consultant at Mandiant, noted that “espionage actors with affiliations to China have refined their toolsets to an extent where they have become more impactful, elusive, and efficient.”