In a significant cybersecurity breach, the Chinese hacking group identified as UAT-6382 has infiltrated multiple local government networks across the United States. According to Cisco Talos reports, the group is primarily recognized for exploiting a zero-day vulnerability in Trimble Cityworks, a Geographic Information System (GIS)-based asset and work management platform utilized by various municipalities, utilities, and public works.
The Chinese hacking group UAT-6382 has breached local U.S. government networks via a zero-day flaw in Trimble Cityworks.
The attack distinctly targeted enterprise networks responsible for managing public assets, including permitting and licensing systems. Zero-day vulnerabilities represent a particularly dangerous threat since organizations have no time to prepare defenses before exploitation occurs. The assault commenced in January 2025, prior to the vendor’s patch release for a deserialization flaw (CVE-2025-0994), which has a CVSS score of 8.6 and requires authentication to exploit.
Evidence indicates that the group employed several advanced malware techniques, including Rust-based malware loaders and Cobalt Strike signals for long-term access. Importantly, VSHell malware, web shells such as AntSword, and messages in Chinese were found within the compromised systems, emphasizing the attackers’ origins and intentions.
Despite the patch being released in early February, exploitation persisted, leading the United States Cybersecurity and Infrastructure Security Agency (CISA) to add this vulnerability to its Known Exploited Vulnerabilities catalog. This adherence to an ongoing campaign reflects advanced persistent threat (APT) tactics, posing a significant risk to public-sector cybersecurity. Furthermore, the group is suspected of specifically targeting utility management systems to further extend their control over critical infrastructure.
The intrusion demonstrated a clear intent to pivot towards utility management systems, indicating a broader strategy by UAT-6382 to compromise critical infrastructure. Mitigation measures have included indicators of compromise (IoCs) issued by Trimble, along with advisories from CISA regarding industrial control systems.
Yet, unpatched Microsoft Internet Information Services (IIS) servers remain a continuous risk. This event not only highlights the critical need for coordinated responses and heightened cyber hygiene but also illuminates the vulnerabilities within public sector networks susceptible to sophisticated foreign intrusion.
