Threat Intelligence, Email security
Barracuda ESG hacks focused on China’s ‘high priority targets’

Mandiant senior incident response consultant Austin Larsen, told SC Media that China-aligned espionage groups have been working to improve their operations to be more impactful, stealthy, and effective. (Photo by: Francesca Ripamonti/REDA&CO/Universal Images Group via Getty Images)
Mandiant researchers say the hackers responsible for a recent campaign against Barracuda email security gateway (ESG) devices have carried out follow-up attacks against compromised organizations that are “high priority targets” by the Chinese government, and have made substantial efforts to bypass remediation by victims.A previously unknown threat group, UNC4841, which Mandiant and the FBI this month said has clear links to China, compromised Barracuda ESG appliances around the world between October 2022 and June 2023.Mandiant was hired by Barracuda to investigate the attacks when they were discovered in May and has been working closely with impacted organizations and authorities in several jurisdictions.In a research report published today, Mandiant said its analysis shows UNC4841 was able to deploy additional malware to maintain a presence on a smaller group of networks it was targeting, even as organizations scrambled to remediate the initial attacks. A limited number of victims remained at risk from a novel backdoor malware, called DEPTHCHARGE, that the threat group deployed to maintain persistence in response to remediation efforts.“UNC4841’s deployment [of] select backdoors suggests this threat actor anticipated, and prepared for remediation efforts, by creating tooling in advance to remain embedded in high-value targets, should the campaign be compromised,” wrote researchers Austin Larsen, John Palmisano, John Wolfram, Matthew Potaczek and Michael Raggi.“It also suggests that despite this operation’s global coverage, it was not opportunistic, and that UNC4841 had adequate planning and funding to anticipate and prepare for contingencies that could potentially disrupt their access to target networks.”The lead author of the report, Mandiant senior incident response consultant - Google Cloud, Austin Larsen, told SC Media in a statement that China-aligned espionage groups have been working to improve their operations to be more impactful, stealthy, and effective."We’re contending with formidable adversaries that boast vast resources, funding, and the know-how to successfully execute global espionage campaigns undetected,” he said.About 5% of all Barracuda ESG appliances globally were compromised through the campaign. Mandiant said that while UNC4841 was intent on maintaining persistence across a subset of those devices, since Barracuda released a patch for the initial remote command injection vulnerability (CVE-2023-2868), no new compromises of additional appliances had been detected.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds