Mandiant has determined that the recently discovered hacking campaign targeting Barracuda Networks Inc. customers was launched by China-linked hackers.

Mandiant, a breach investigation company that was acquired by Google LLC earlier this year, released its findings today. The Google unit was hired by Barracuda to investigate the malware campaign.

Campbell, California-based Barracuda is a major provider of cybersecurity software. It went public in 2013 and traded on the NYSE for four years before being taken private in a $1.4 billion acquisition. The company claims that its products are used by more than 200,000 organizations worldwide.

On May 19, Barracuda discovered a hacking campaign targeting customers of its email security gateway appliances. Companies and government agencies use such appliances to scan employees’ messages for malware. Barracuda determined that hackers had been targeting customers as early as last October.

The hackers carried out the cyberattacks using a zero-day, or previously unknown, vulnerability in the company’s appliances. Barracuda issued a patch to fix the vulnerability a few days after it discovered the malware campaign. A few weeks later, the company instructed customers to remove affected appliances from their networks even if they downloaded the patch.

In a report published today, Mandiant shared more details about the cyberattack. The Google unit’s researchers determined that the hackers altered their malware soon after Mandiant released the patch in May. Additionally, they deployed additional “persistence mechanisms” designed to maintain their access to victims’ networks.

The malware campaign was carried out by a threat actor Mandiant refers to as UNC4841. After analyzing UNC4841’s tactics, it found “points of overlap with infrastructure” used by other China-linked hacking groups. “Mandiant assesses with high confidence that UNC4841 conducted espionage activity in support of the People’s Republic of China,” the researchers wrote in the report. 

According to Mandiant, 55% of the cyberattacks carried out as part of the hacking campaign targeted organizations in the Americans. Furthermore, a third of the affected organizations are government agencies. Previously, cybersecurity provider Rapid7 Inc. estimated that there were 11,000 vulnerable Barracuda appliances connected to the internet as of earlier this month. 

UNC4841 targeted Barracuda customers using emails containing a malicious attachment. The attachment infected vulnerable appliances with three malicious programs disguised as legitimate Barracuda software.

After breaching victims’ networks, the hackers took steps to “aggressively target specific data of interest for exfiltration,” Mandiant’s researchers determined. In some cases, UNC4841 also conducted lateral movement. That’s the term for attempts by hackers to use a compromised component of a corporate network to infect other systems.

Barracuda and Mandiant have released a set of ICOs, or indicators of compromise, to help affected customers secure their networks. ICOs are pieces of data left behind in a network following a cyberattack. If an organization finds such data snippets in its network, it can draw the conclusion that a breach took place. 

Mandiant is also suggesting that Barracuda customers review network and email logs for signs of malicious activity. Moreover, affected organizations are advised to change any login credentials that may have been stored on their vulnerable Barracuda appliances.

Image: Barracuda Networks