Chinese Hackers Breach US Local Governments Using Cityworks Zero-Day
In a disturbing revelation, Chinese-speaking hackers have successfully breached multiple local governing bodies across the United States by exploiting a now-patched Trimble Cityworks zero-day vulnerability. This incident highlights the growing threat of nation-state sponsored attacks on critical infrastructure and the importance of timely patching to prevent such breaches.
The Target: Trimble Cityworks
Trimble Cityworks is a widely used Geographic Information System (GIS)-based asset management and work order management software, primarily employed by local governments, utilities, and public works organizations. Designed to help infrastructure agencies and municipalities manage public assets, handle permitting and licensing, and process work orders, Cityworks has become an essential tool for these organizations.
The Attack Vector: UAT-6382 Group
The hacking group behind this campaign, identified as UAT-6382, employed a sophisticated tactics, techniques, and procedures (TTPs) to breach the systems. Utilizing a Rust-based malware loader, they deployed Cobalt Strike beacons and VSHell malware designed to backdoor compromised systems and provide long-term persistent access. Additionally, they used web shells and custom malicious tools written in Chinese to further compromise the affected organizations.
The Investigation
According to Cisco Talos security researchers Asheer Malhotra and Brandon White, the attacks began in January 2025, when initial reconnaissance activity was observed within the breached organizations' networks. The attackers expressed a clear interest in pivoting to systems related to utilities management.
The Evidence
Further analysis revealed that the web shells used by the attackers contained messaging written in Chinese, including AntSword, chinatso/Chopper, and generic file uploaders. Additionally, the custom tooling, TetraLoader, was built using a malware-builder called 'MaLoader' also written in Simplified Chinese.
The Patch and Warning
Trimble warned that it was aware of attackers trying to exploit CVE-2025-0994, a high-severity deserialization vulnerability that allows authenticated threat actors to execute code remotely on the targets' Microsoft Internet Information Services (IIS) servers. In early February 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released security updates to patch this vulnerability.
Federal Agencies Urged to Patch Immediately
CISA ordered federal agencies to patch their systems within three weeks as mandated by the November 2021 Binding Operational Directive (BOD) 22-01. These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Top 10 MITRE ATT&CK Techniques
A recent analysis of 14M malicious actions revealed that top 10 MITRE ATT&CK techniques were behind 93% of attacks. Understanding these techniques is crucial in defending against such attacks and preventing future breaches.
Federal Agencies on High Alert
Furthermore, the FBI reported that US officials have been targeted in voice deepfake attacks since April. Additionally, an unofficial Signal app used by Trump officials has been investigated for a hack. Chinese hackers also targeted Russian government with upgraded RAT malware, and Ivanti patches Connect Secure zero-day exploited since mid-March.
CISA Emergency Directive: Mitigate Ivanti Zero-Days Immediately
Finally, CISA released an emergency directive ordering organizations to mitigate the Ivanti zero-days immediately. This is a critical reminder of the importance of timely patching and the need for continued vigilance in the face of evolving cyber threats.