Uncovering the origins of Log4J.
Hacktivists, China, and the chaotic disclosure of Log4J.
The following is the story of how the Log4J vulnerability, nicknamed Log4Shell, was first exposed, leading to one of the most significant cybersecurity vulnerabilities in the past 10 years. This report includes excerpts from an exclusive interview conducted with the members of AgainstTheWest (ATW) on 17 January 2022.
· AgainstTheWest, a European based hacktivist group that has been aggressively targeting Chinese companies since October 2021, stumbled across the Log4J vulnerability in early October 2021.
· ATW actively exploited Log4J to target Chinese companies and government organizations including Alibaba Cloud, which they targeted in October 2021.
· Alibaba Cloud discovered the vulnerability during an ATW attack and disclosed it to Apache in late November 2021.
· That disclosure in November 2021 resulted in the chaos that was log4J in December 2021 that continues to this day.
ATW is a hacktivist group who has been active since October 2021. Don’t let the name confuse you — this group is focused on countries they perceive to be a threat to western society. Their first target was China and since October 2021 they have claimed to have impacted multiple Chinese private and government organizations. You can see their operations here — https://raidforums.com/User-AgainstTheWest.
They are currently pivoting their operation to target Russia.
The Chaotic disclosure of Log4J:
When we spoke with ATW, we had to ask about Log4J. For context, they had mentioned on Raidforums about their use of Log4J https://raidforums.com/Thread-The-truth-with-Log4Shell-ATW, however their explanation was far more confirmatory to us. We had speculated since the announcement of Log4J in December that the group had possibly leveraged that vulnerability prior to its disclosure date.
So, what happened? How did a hacktivist group targeting Chinese organizations trigger one of the most significant and wide spread cybersecurity responses to a vulnerability in the past 10 years? Simple, they used it.
As you can see below, ATW stumbled on Log4J and starting using it in October 2021. It wasn’t until they made an error while targeting Alibaba Cloud that it was detected and then later disclosed, and by early December 2021 the entire world was attempting to patch and remediate what is now Log4J or Log4Shell.
You will note here that ATW has remorse for the impact it has had on the west as this impacts their intent and goals. It‘s remarkable that they were able to exploit this vulnerability for over a month before Alibaba Cloud eventually discovered it.
The attacks by ATW prior to Alibaba Cloud may have inspired the company to disobey the Chinese government order of vulnerability disclosure and tell Apache first, before the Chinese government. This is something they are now being punished for. https://www.zdnet.com/article/log4j-chinese-regulators-suspend-alibaba-partnership-over-failure-to-report-vulnerability/
For additional context and validation, ATW posted its first lot of Alibaba data to Raidforums on 12 November 2021 — Alibaba disclosed the Log4J vulnerability to Apache in late November 2021.
The fact that Alibaba disclosed the vulnerability weeks after ATW posted the data and the network access provides enough evidence that they are genuine in their comments above about Log4J.
There you have it, a hacktivist group targeting China resulted in the chaotic disclosure of the most significant cybersecurity vulnerability in the past ten years.
We will be creating a follow-up to this report with a deeper dive into ATW with more details from the interview.
If you would like more information please contact us via our Twitter.