The U.S. cybersecurity firm Mandiant has confirmed that suspected state-backed Chinese hackers are behind the exploitation of a zero-day vulnerability in Barracuda’s Email Security Gateway (ESG) appliances that disproportionately targeted government and government-linked organizations globally.

According to a Mandiant blog post published today, the threat actor’s global espionage campaign dates back as early as October 2022, with threat actors dropping previously unknown malware onto compromised appliances and stealing sensitive data.

The biggest targets of this campaign were the U.S. and Canada, followed by China, Germany, the Netherlands, Poland, Japan, and Vietnam. Almost a third of appliances that were affected in this campaign belonged to government agencies, followed by firms in the high-tech and IT industries.

“Notably, among North American identified affected organizations, there were numerous state, provincial, county, tribal, city, and town offices that were targeted in this campaign. These organizations included municipal offices, law enforcement offices, judiciaries of varying levels, social service offices, and several incorporated towns,” Mandiant wrote in the blog post.

“While overall local government targeting comprises just under seven percent of all identified affected organizations, this statistic increases to nearly seventeen percent when compared to U.S.-based targeting alone.”

As per Mandiant, the Chinese-nexus threat group (currently tracked as UNC4841) had an espionage motivation, who took advantage of a zero-day vulnerability, CVE-2023-2868, and exploited systems belonging to high-profile users in government (national), high-tech, and information technology sectors.

Mandiant calls these malware families: Skipjack (a passive backdoor for listening to communications), DepthCharge (a passive backdoor tracked by CISA as SUBMARINE), Foxglove (a malware launcher written in C), Foxtrot (a backdoor written in C++  that supports commands include keystroke capture, shell command execution, reverse shell creation, and file transfer) and a version two of SeaSpy (a passive backdoor).

The existence of CVE-2023-2868 was first discovered by Barracuda on May 19, 2023, with the company releasing a patch to ESG appliances on May 20, 2023. However, it was later determined that the fixes were ineffective, which prompted Barracuda to ask ESG users to throw away vulnerable appliances and seek a replacement.

Ever since Barracuda released a patch to ESG appliances on May 20, 2023, Mandiant and Barracuda have not been able to find any proof of successful exploitation of CVE-2023-2868, resulting in any newly compromised physical or virtual ESG appliances.

Only 5% of ESG appliances of ESG appliances around the world were compromised. No other Barracuda products, including Barracuda’s SaaS email solutions, were affected by this vulnerability.

Mandiant and Barracuda investigations into previously compromised appliances confirmed UNC4841 deployed new and novel malware to maintain presence at a small subset of high-priority targets that it compromised either before the patch was released or shortly following Barracuda’s remediation guidance.

This “suggests that despite this operation’s global coverage, it was not opportunistic and that UNC4841 had adequate planning and funding to anticipate and prepare for contingencies that could potentially disrupt their access to target networks,” Mandiant added.

“It’s become clear we are contending with a formidable adversary that boasts vast resources, funding and the technical capability to successfully execute global espionage campaigns at scale. China-nexus espionage actors are improving their operations to become more stealthy, effective and impactful,” said Austin Larsen, Mandiant Senior Incident Response Consultant.

At the time of writing, Mandiant evaluates that a limited number of previously affected victims continue to be at risk of potential compromise from suspected Chinese hacking groups.

Mandiant and Barracuda have notified customers impacted by this incident. Affected users are requested to contact Barracuda support and replace the compromised ESG appliance.