Chinese hackers, identified as the threat actor UAT-6382, have successfully breached U.S. government systems, targeting local government entities through a vulnerability in Trimble Cityworks software. This breach was facilitated by an unaddressed deserialization vulnerability, tracked as CVE-2025-0994, which affected Microsoft Internet Information Services (IIS) servers. The disruption began in January 2025, shortly before Trimble issued a patch for the software in early February.
The attackers employed various sophisticated techniques to infiltrate systems related to utilities management. They initiated their campaign with reconnaissance within local government networks, demonstrating a methodical approach to identify valuable data. Once access was gained, the hackers deployed malware such as Cobalt Strike and VSHell, in addition to web shells like AntSword, ensuring long-term persistence and control over compromised systems. Moreover, the exploited remote code execution (RCE) flaw allowed authenticated users to execute code on vulnerable servers, further compromising security.
Significantly, indicators suggested that custom tools and messaging utilized during the attacks were in Simplified Chinese, indicating the attackers’ origin.
The impact of this breach is considerable, as it is centered on local government entities—critical components that manage indispensable services. With utilities management the primary target of the cyber intrusions, the U.S. government faced potential disruptions in crucial public services.
The Cybersecurity and Infrastructure Security Agency (CISA) quickly responded by adding the vulnerability to its Known Exploited Vulnerabilities catalog and issued advisories to mitigate risks.
In the aftermath, Trimble published indicators of compromise (IoCs) to assist users in identifying affected systems. CISA urged all local governments and utilities to immediately update their software, fortifying their defenses against such exploitation.
The deliberate actions of UAT-6382 highlight the pressing need to strengthen cybersecurity within public sectors, emphasizing an ongoing vulnerability arena requiring vigilant oversight and adaptive security measures to protect against future attacks.
