The wide range of state agencies targeted include “health, transportation, labor (including unemployment benefit systems), higher education, agriculture, and court networks and systems,” the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) said in a separate, private advisory to state governments obtained by CNN.
For agencies in two states, the hackers broke into networks using a critical software flaw that was revealed in December just as the Biden administration was scrambling to respond to the flaw’s discovery, according to Mandiant.
The hackers’ motives aren’t clear, but their victims are “consistent with an espionage operation,” the firm said. The list of state agencies affected by the hacking could grow as the investigation continues.
In one state, Mandiant said, the hackers accessed personally data on some Americans, including names, email addresses and mobile phone numbers. Mandiant declined to name the US states or agencies affected.
While the hackers’ ultimate objectives are unclear, state agencies could provide a wealth of useful information to foreign spies, whether data related to elections or government contracting.
“This campaign is likely still going on. [The hackers] probably haven’t completed their mission,” said Rufus Brown, senior threat analyst at Mandiant’s Advanced Practices team.
The hackers have used multiple methods to access the state agency networks, and in some cases have returned to the same compromised network after Mandiant specialists contained the activity.
CNN has asked CISA to comment.
Mandiant blamed the hacking campaign on a group that the Justice Department has linked with China’s civilian intelligence agency. That hacking group, according to a US indictment unsealed in September 2020, has been linked to attempts to breach hundreds of organizations around the world, from hardware makers to pro-democracy politicians in Hong Kong.
“We firmly oppose and combat cyberattacks of any kind,” Chinese Embassy in Washington spokesperson Liu Pengyu said in an email. “We oppose making groundless accusations against China on cyber security and other related issues.