Hackers linked to China’s Ministry of State Security have spent most of the last year infiltrating and moving freely through state government networks across the United States, according to a report by the cybersecurity firm Mandiant.

Released on Tuesday, the report says that the hacking group known as APT41, whose members are already sought by the FBI for allegedly working on behalf of Beijing to conduct cyberattacks, began targeting at least six state governments starting last spring, and had not let up through the end of February.

“This is a pretty unique switch,” Rufus Brown, a ​​senior threat analyst at Mandiant and the lead author of the report, said about the attacks. “Since May 2021, we’ve seen them just continuously hammer these state governments.”

“It’s very persistent, very continuous, and they keep coming back for whatever they want,” he said. “We likely assess that there are more states affected.”

Brown declined to disclose which states were attacked. The National Governors Association did not immediately respond to a request for comment.

It is unclear what or how much information APT41 might have stolen from the various state agencies, but the attackers jumped from department to department, and in at least one instance stole a batch of personal identifying information, Brown said.

The report said that the hackers also targeted a Microsoft-based agriculture database used by 18 states to document livestock health, known as USAHerds.

The National Agribusiness Technology Centre, the organisation that runs the USAHerds network, did not immediately respond to a request for comment.

And when a global software bug known as the “log4j vulnerability” was made public late last year – described by a top US cybersecurity official as “the most serious vulnerability I have seen in my decades-long career” – the hackers took less than two days to begin using it to target the state governments, Mandiant reported.

“Stopping them is very hard,” said Brown. “The only thing that really is going to help this is arresting the individuals.”

The cyberattacks against the state governments come as top leaders in China have spoken in recent years about maintaining close ties with individual states – a sort of counterbalance to Beijing’s deteriorating relationship with Washington.

Chinese leader Xi Jinping said in 2020 that his country should work with “American states, local councils and businesses”.

Some state governors have expressed a willingness to maintain strong business ties with China, even as their counterparts in Washington criticise Beijing.

During the administration of former president Donald Trump, then-secretary of state Mike Pompeo warned an association of US governors to be wary of Chinese influence and investment in their states.

“​​The competition with China is not just a federal issue,” he said at the time.

In 2020, the US Department of Justice charged five Chinese nationals and members of the group APT41 with various cybercrime offences, including identity theft, money laundering and computer violations.

The Justice Department said at the time that one of the Chinese nationals charged had boasted that he was protected by the Ministry of State Security, China’s intelligence agency.

Brown, whose firm began the investigation after it was contacted by one of the state governments about suspicious activity in its network, said that based on his investigation, he had “100%” confidence that the attacks were perpetrated by APT41.

Google’s parent company Alphabet announced on Tuesday that it was set to buy Mandiant, which is based in Virgina, for about US$5.4bil (RM22.61bil).

China has denied for years that it has facilitated cyberattacks abroad, and says that it too is a victim of hacking.

On Saturday, in Chinese Premier Li Keqiang’s annual government work report, he called for China to “strengthen cybersecurity, data security, personal information protection”, according to an official summary.

Liu Pengyu, the spokesman for the Chinese embassy in Washington, did not comment on the details of the Mandiant report, but said that China opposes “making groundless accusations against China on cybersecurity and other related issues”.

In the past, China has also been accused of hacking US federal government personnel files, military contractors and news organisations; Washington remains suspicious about Beijing’s commitment to cybersecurity.

Observers have also expressed alarm over a Chinese law passed last year, which orders companies that find digital vulnerabilities to inform Beijing first before notifying any global cybersecurity organisations.

Mandiant’s report came as US intelligence agencies were testifying to Congress about their annual “threat assessment” document, which called China “the broadest, most active, and persistent cyberespionage threat to US Government and private sector networks”.

“China almost certainly is capable of launching cyberattacks that would disrupt critical infrastructure services within the United States, including against oil and gas pipelines and rail systems,” the document said. – South China Morning Post