Chinese hackers use Log4j exploit to go after academic institution

Written by

A Chinese hacking group known for industrial espionage and intelligence collection used a vulnerability in Log4j to go after a large academic institution, researchers at CrowdStrike revealed Wednesday.

Threat analysts observed the group attempting to install malware after gaining access using a modified version of a Log4j exploit for VMWare Horizon, a virtual workspace technology. CrowdStrike also observed the Chinese hackers trying to harvest credentials for further exploitation.

CrowdStrike analysts believe that the group behind the attack, which it is calling “Aquatic Panda,” has likely been active since at least May 2020. Its operations have primarily focused on targets in the telecommunications, technology and government sectors.

“Because OverWatch disrupted the attack before AQUATIC PANDA could take action on their objectives, their exact intent is unknown,” Param Singh, vice president of CrowdStrike OverWatch, wrote to CyberScoop in an email. “This adversary, however, is known to use tools to maintain persistence in environments so they can gain access to intellectual property and other industrial trade secrets.”

CrowdStrike didn’t name the institution that Aquatic Panda targeted, or its location.

Researchers at Mandiant and Microsoft have also reported activity by Chinese threat groups exploiting the Log4j vulnerability. Microsoft observed attacks by the Chinese group, “HAFNIUM,” using the vulnerability against virtualization infrastructure. Microsoft also warned of attacks using the vulnerability by groups tied to Iran, North Korea and Turkey.

Log4j is an open-source software tool ubiquitous across the tech industry and can be found in millions of systems, making the full scope of potential victims hard to track. Cybercriminals raced to take advantage of the vulnerability when it was revealed earlier this month, meaning that even if organizations have patched their systems attackers could have already established a foothold.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency on Dec. 22 issued an advisory on how to deal with potential risks to IT and cloud services that the vulnerability poses.