Search timeline
Over the past year, has tracked a relentless campaign carried out by #APT41 🇨🇳 targeting State-level governments 🛠within the United States 🇺🇸. Read more about it in our new blog! mandiant.com/resources/apt4
1
33
61
Show this thread
Mandiant has uncovered that #APT41 successfully compromised at least 6 U.S. state government networks between May 2021 and Feb 2022. Read this blog post from and for more details.
1
23
27
Quote Tweet
We’re releasing research on a persistent #APT41 campaign targeting U.S. state governments from May ‘21 – Feb ‘22. Grab a biker jacket, studded belt, hair bleach and read our SUMmary of #APT41’s activities. Highlight 
mandiant.com/resources/apt4Show this thread
2
2
13
Quote Tweet
We’re releasing research on a persistent #APT41 campaign targeting U.S. state governments from May ‘21 – Feb ‘22. Grab a biker jacket, studded belt, hair bleach and read our SUMmary of #APT41’s activities. Highlight
mandiant.com/resources/apt4Show this thread
10
GIF
Quote Tweet
New malware? Check 
0day? Check 
See what out what we’re all about in the latest blog from Mandiant on APT41 mandiant.com/resources/apt4
0day? Check See what out what we’re all about in the latest blog from Mandiant on APT41 mandiant.com/resources/apt4Show this thread
1
1
4
🚨 New 🇨🇳 #apt41 threat research 🚨
mandiant.com/resources/apt4
New persistent #apt41 campaign from May '21 - present targeting U.S. state governments. They are everywhere. Initial entry point through vulnerable web apps including usage of an 0-day 🧵
1
2
11
Show this thread
In more news...#APT41 has been putting in work targeting a number of US State #governments... , , , and have the scoop!
mandiant.com/resources/apt4
👀👀👀 Amazing work!🔥🔥🔥🔥
1
6
18
Show this thread
#APT41 has continued to operate even after an major #indictment in the US while exploiting multiple vulnerable applications
1
3
Show this thread
Really awesome thread by one of the authors on how #APT41 continues to be a menace even after a #indictment linked here #nevergonnagiveup
justice.gov/opa/pr/seven-i
Quote Tweet
We’re releasing research on a persistent #APT41 campaign targeting U.S. state governments from May ‘21 – Feb ‘22. Grab a biker jacket, studded belt, hair bleach and read our SUMmary of #APT41’s activities. Highlight
mandiant.com/resources/apt4Show this thread
6
USAHerds is an animal disease tracking and management system used by state-level Departments of Agriculture. #APT41 obtained a hardcoded, static .NET machineKey that allowed them to exploit USAHerds instances at ALL 18 U.S. states.
1
3
Show this thread
#APT41 must have taken a course on .NET deserialization attacks recently...
1⃣ Static machineKeys in USAHERDS CVE-2021-44207
2⃣ Directory traversal to obtain machineKey values for deserialization attacks
3⃣ Hunting for and harvesting of web.config files for later use
1
1
3
Show this thread
In multiple investigations, we’ve responded to #APT41 at one agency only to find that APT41 had also compromised a separate agency in the same state. We’re not entirely sure what they’re after, but whatever it is, it’s important.
1
8
Show this thread
Although #APT41 has historically done spray and pray exploitation (e.g. mandiant.com/resources/apt4), this campaign was deliberate: in multiple instances #APT41 recompromised State victims, as recently as Feb ’22.
1
9
Show this thread
collaborated with USAHerds vendor Acclaim Systems and to identify the vulnerability in their application and publish an Advisory to USAHerds clients. Once disclosed and patched, #APT41 was forced to switch entry points. Queue: #Log4Shell
2
1
3
Show this thread
Regardless of which application #APT41 targeted on any given day, their post-exploitation operations remained consistent with prior intrusions:
Quote Tweet
The group continues to use a combination of previous tooling, with enhancements and new techniques to remain stealthy. Notably, we cover:
-Anti-analysis techniques on tried/true malware
-Dead drop resolvers
-Moar Cloudflare services in C2 (WSS, Cloudflare workers)
Show this thread
1
3
Show this thread