China, Iran among those exploiting Apache cyber vulnerability, researchers say

State-sponsored hackers from countries including Iran and China are actively exploiting a major vulnerability in Apache logging package log4j to target vulnerable organizations around the world, security researchers found this week.

The log4j vulnerability, first discovered late last week, has set off alarm bells for cybersecurity professionals worldwide, as the vulnerability is fundamental to systems used by many organizations and difficult to fully patch. 

Microsoft on Tuesday updated its blog post on the log4j vulnerability, warning that the Microsoft Threat Intelligence Center (MSTIC) had seen evidence of nation-state hacking groups in China, Iran, North Korea and Turkey exploiting it. 

The Iranian group exploiting log4j, which Microsoft labeled “Phosphorus” and which has previously been linked to targeting medical researchers and staffers on former President Trump’s reelection campaign, has been launching ransomware attacks using the vulnerability. Meanwhile, a Chinese group labeled “Hafnium,” which previously exploited flaws in Microsoft’s Exchange Server to potentially target thousands of groups, was seen to be using the log4j vulnerability to attack virtualization infrastructure. 

“This activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment, and exploitation against targets to achieve the actor’s objectives,” the blog post reads. 

Microsoft was not the only organization to see nation-state targeting. A spokesperson for cybersecurity group Mandiant told The Hill this week that “Chinese government actors” were exploiting the log4j vulnerability, confirming widespread fears by security researchers this week that nation states would seek to use the vulnerability to further their goals. 

Eric Goldstein, the executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), told reporters Tuesday night that while the agency was seeing exploitation, it was not officially attributing this to any particular country.

“Exploiting this vulnerability gives an adversary potentially deep access into a target network, possibly allowing them to exfiltrate information or cause other harmful attacks,” Goldstein told reporters, warning that “we do expect that adversaries of all sorts will utilize this vulnerability to achieve their strategic goals.”

CISA has taken a series of actions over the past week to address the vulnerability, including adding log4j to to the CISA’s catalog of vulnerabilities, requiring federal agencies to immediately address it. CISA’s Joint Cyber Defense Collaborative has also established a senior leadership group to focus on the vulnerability, and CISA has been in regular contact in recent days with critical private sector partners. 

“Across the federal government, we have no known reports of compromises using this vulnerability,” Goldstein said. “Certainly there are organizations across the world that are seeing exploitation using this vulnerability.”