China Behind ‘Wide-Ranging’ Barracuda Attacks, Mandiant Says

The incident response firm says it ‘assesses with high confidence’ that hackers working on behalf of the Chinese government carried out the attacks on customers of Barracuda’s Email Security Gateway.

Hackers working for China’s government are the likely culprits behind the recent cyberattack campaign targeting customers who use Barracuda’s Email Security Gateway, according to prominent incident response firm Mandiant.

The attacks, which have leveraged a critical vulnerability in the on-premises appliances that has now been patched, last week prompted the unusual recommendation from Barracuda that affected customers should actually replace their Email Security Gateway devices.

[Related: Barracuda Says Attacks On Compromised Email Security Customers Are ‘Ongoing’]

Mandiant, which is owned by Google Cloud, has been hired by Barracuda to investigate the incident.

“Through the investigation, Mandiant identified a suspected China-nexus actor, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to utilize as a vector for espionage, spanning a multitude of regions and sectors,” Mandiant said in a post Thursday. “Mandiant assesses with high confidence that UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People’s Republic of China.”

In its own post Thursday, Barracuda pointed to Mandiant’s attribution of the threat actor to the Chinese government, and said that the attackers “conducted targeted information gathering activity from a subset of organizations in support of the People’s Republic of China.”

Barracuda has said that the vulnerability was discovered May 19, and the company deployed a patch “to all ESG appliances worldwide” the following day. A second patch was deployed May 21 to all Email Security Gateway appliances.

“Between May 22, 2023 and May 24, 2023, UNC4841 countered with high frequency operations targeting a number of victims located in at least 16 different countries,” Mandiant said in its post. “Overall, Mandiant identified that this campaign has impacted organizations across the public and private sectors worldwide, with almost a third being government agencies.”

Along with replacing compromised ESG appliances, “Mandiant recommends further investigation and hunting within impacted networks, as the identified threat actor has demonstrated a commitment to maintaining persistence for continued operations and has shown an ability to move laterally from the ESG appliance,” the company said.

Mandiant noted that its investigation found that attackers deployed three types of malware—Saltwater, SeaSpy and SeaSide—to establish persistence in affected systems and maintain the persistence. The code families “attempt to masquerade as legitimate Barracuda ESG modules or services, a trend that UNC4841 has continued with the newly identified malware families detailed for the first time in this blog post,” Mandiant said.

“Post initial compromise, Mandiant and Barracuda observed UNC4841 aggressively target specific data of interest for exfiltration, and in some cases, leverage access to an ESG appliance to conduct lateral movement into the victim network, or to send mail to other victim appliances,” Mandiant said in its post.

Campbell, Calif.-based Barracuda initially disclosed the breach May 24. Further investigation from the company and Mandiant uncovered evidence that the vulnerability had been exploited as far back as October 2022, the company said in an updated disclosure June 1.

Barracuda’s Email Security Gateway is a product used by on-premises customers for filtering of all email traffic, both inbound and outbound. The appliance, which is cloud-connected, is often used to protect Microsoft Exchange environments.