Nation-state hackers aim to exploit Log4j software flaw, Microsoft warns

U.S. cyber officials previously warned that hundreds of millions of devices were vulnerable.
(Photo by Neville Elder/Corbis via Getty Images)

Hackers associated with the governments of China, Iran, North Korea and Turkey have been trying to find ways to leverage the Apache Log4j vulnerability, Microsoft’s Threat Intelligence Team said Tuesday.

The notice came the same day a top U.S. government cyber official said that the Cybersecurity and Infrastructure Security Agency hasn’t seen any U.S. federal agencies targeted with the exploit, but that the government is still fearful of attacks. Hundreds of millions of devices are potentially at risk, an agency official previously said.

Microsoft’s notice said its analysts had observed “multiple” known state-associated hacking groups working with the vulnerability, with activity ranging from experimentation to integration in active campaigns to exploitation of targets. The flaw is so severe, computer security specialists have warned, that a successful attack could result in the takeover of an affected system.

An Iranian group Microsoft calls “Phosphorus” — known alternatively as “Charming Kitten” — that has been deploying ransomware of late has “operationalized” modifications to its tooling using Log4j, analysts said. A Chinese group, “HAFNIUM,” has also been observed attacking virtualization infrastructure with the vulnerability.


Cybersecurity firm Mandiant has also observed activity from those two countries, said John Hultquist, the company’s vice president of intelligence analysis.

“We believe these actors will work quickly to create footholds in desirable networks for follow-on activity, which may last for some time,” he said in a statement to CyberScoop. The groups will likely work to target entities that they’d already been focused on, but may also find new targets as a result of the vulnerability’s exposure, he added.

The suspected Iranians working to implement Log4j into operations “are particularly aggressive,” he added, “having taken part in ransomware operations that may be primarily carried out for disruptive purposes rather than financial gain.”

The vulnerability has also been observed as part of botnet activity, according to cybersecurity firm Bitdefender. The company reported Monday that it had seen attacks on its honeypots using the vulnerability, but had also seen real-world attacks that seemed mostly associated with cryptojacking. This kind of attack enables malicious cryptocurrency mining using a target’s system without consent.

Bitdefender had also detected attempts to incorporate the vulnerability into the Khonsari ransomware variant.

Tim Starks

Written by Tim Starks

Tim Starks is senior reporter at CyberScoop. His previous stops include working at The Washington Post, POLITICO and Congressional Quarterly. An Evansville, Ind. native, he's covered cybersecurity since 2003. Email Tim here:

Latest Podcasts