Cybersecurity firm Mandiant on Thursday revealed “the broadest cyber-espionage campaign known to be conducted by a China-nexus threat actor since the mass exploitation of Microsoft Exchange in early 2021.”

The Microsoft Exchange hack was a massive global cybersecurity crisis that affected at least 60,000 users, with targeting focused on infectious disease research and policy shops. State and city governments, corporations, first responders, and other organizations invested huge amounts of time and money in cleaning up the damage from the attack, which the U.S. and other governments pinned on a group of hackers linked to the Chinese government.

The Biden administration condemned China’s “pattern of irresponsible behavior in cyberspace” in 2021 but stopped short of imposing retaliatory sanctions.

The new Chinese attack Mandiant detected once again exploited security flaws in an email program to infect an as-yet-unknown number of computer systems. In this case, the email package is called Barracuda Email Security Gateway (ESG).

Barracuda announced on May 23 that it discovered a zero-day vulnerability – a previously undetected gap in software security that hackers exploited before security experts became aware of it. The vulnerability allowed attackers to gain unauthorized access to parts of the email system and deposit malicious code by formatting filenames in a manner that tricked the ESG system into executing them without requiring proper authentication.

In this file photo taken on August 04, 2020, Prince, a member of the hacking group Red Hacker Alliance who refused to give his real name, uses a website that monitors global cyberattacks on his computer at their office in Dongguan, China. (NICOLAS ASFOURI/AFP via Getty)

Barracuda quickly patched the vulnerability but warned that hackers may have been exploiting it for up to seven months before it was discovered. On June 11, Barracuda issued an urgent update that advised users to replace affected ESG devices immediately, regardless of installed patches or software version level – a sobering testament to the severity of the flaw, and how ruthlessly it was exploited by hackers before security professionals discovered it.

Mandiant said on Thursday it discovered a threat group dubbed UNC4841 targeted ESG systems as a “vector for espionage” beginning in early October 2022. The hacker group sent emails to their targets that were laced with “malicious file attachments.” These malware files exploited the zero-day flaw to trick the targeted systems into executing them as if they were legitimate code.

Mandiant said the hackers used their viral code to “aggressively target specific data of interest for exfiltration,” as well as open further vulnerabilities in hacked networks that could be employed for further espionage, and for firing off more emails containing malware payloads to infect even more systems.

Targeted systems were found in 16 different countries, although over half were located in the Americas. Almost a third of the targets were government agencies. Other heavy targets included the Ministry of Foreign Affairs for the Association of Southeast Asian Nations (ASEAN) and “foreign trade offices and academic research organizations in Taiwan and Hong Kong.”

Mandiant noted the hackers “searched for email accounts belonging to individuals working for a government with political or strategic interest to the PRC [People’s Republic of China] at the same time that this victim government was participating in high-level, diplomatic meetings with other countries.”

Based on these targeting patterns and analysis of the virus code, Mandiant assessed with “high confidence” that threat group UNC4841 “conducted espionage activity in support of the People’s Republic of China.”

Mandiant further warned that UNC4841 remains a serious threat, as the group is “highly responsive to defensive efforts” and is keenly interested in further espionage activities against its targets.

Barracuda said on Thursday that about five percent of its ESG users worldwide appear to have been compromised. The company said it would provide replacement equipment to the targets at no cost.

News of the latest Chinese cyberattack broke as Microsoft founder Bill Gates was in Beijing, lavishing praise on the authoritarian regime and calling for more Western cooperation with China. U.S. Secretary of State Antony Blinken is scheduled to visit China this weekend.