Chinese Hackers Reportedly Target US Local Governments

Your Town Could Be A Target And You Might Not Even Know It

Most people think cyberattacks only happen to huge corporations or secret government agencies. But today, even small cities and towns are being targeted by hackers from across the globe. Hackers have found new ways to break into local government systems without being noticed.

They’re going after the software that runs everything from streetlights to sewer lines, which means no place is too small to be at risk. These attacks are quiet, dangerous, and often go undetected until the damage is already done.

The Everyday Software That Opened The Door

Trimble Cityworks is a tool many cities use every day to manage their public services. It helps track repairs, issue permits, schedule inspections, and organize utility work. In early 2025, a serious weakness in this software gave hackers a hidden way inside.

The flaw allows authenticated attackers to take control of systems by exploiting a deserialization vulnerability. Because Cityworks is used in so many places, this gave hackers a big opportunity to reach across the country. What started as a simple tool for city workers turned into a wide-open door for cybercriminals.

The Hackers Had A Plan, And It Was Sophisticated

In January, Experts at Cisco Talos say the group behind the attack is known as UAT-6382. They believe the group is Chinese-speaking and highly skilled in breaking into government networks. These aren’t random hackers hoping to get lucky.

They came prepared with customized tools, malware written in Chinese, and clear steps to take once they were inside. Their moves were quick, calculated, and designed to keep them hidden for as long as possible. This wasn’t just a break-in; it was a full-scale campaign to stay inside and gather data.

How One Flaw Let Hackers Take Control

The problem that allowed all this to happen is called a deserialization flaw. That’s a fancy name for a bug that lets hackers feed bad data into a system and make it run harmful code.

Once that door was open, the hackers could do almost anything, from stealing files to installing more dangerous programs. They didn’t need to guess passwords or trick people. They simply slipped through a weakness in the system that no one knew was there until it was too late.

Inside The Hack, What Happened After They Got In

Once the attackers had access, they immediately searched the systems they broke into. They looked for useful data, such as utility maps, permits, and files related to city infrastructure. Then they installed hidden tools to stay connected, even if the software was updated or the system rebooted.

These backdoors allowed them to quietly come and go while watching what was happening. It was like they made themselves invisible guests in the city’s digital home, always watching, always ready to act.

The Secret Tools They Left Behind

The hackers didn’t rely on common viruses. They used custom web shells, including AntSword, Behinder, and Chopper, which are known for enabling remote access and control over compromised systems. These programs were written in Chinese and included special instructions meant for long-term use.

Once installed, these shells gave the attackers secret access, like building a trapdoor in a locked house. City staff had no idea anything was wrong while these tools quietly ran in the background, gathering data and giving the hackers total control.

Why This Malware Is Especially Dangerous

One of the scariest parts of this attack is a custom-made loader called TetraLoader. It’s a program that installs other malware while staying hard to detect.

TetraLoader was built using a Chinese malware builder called MaLoader, designed to help attackers sneak their tools into everyday programs. It even hides inside apps like Notepad to make it seem harmless.

They Weren’t Just Snooping, They Were Looking For Something Specific

These hackers didn’t just wander around city systems. They had a clear goal: to find and access data connected to public utilities. That includes water systems, electric grids, and infrastructure planning tools.

Having control over those systems can cause huge problems if they’re disrupted. It also gives hackers insight into how cities operate, which could be valuable for future attacks or financial gain. This wasn’t random—it was targeted, and it was strategic.

Why Local Governments Were Easy Targets

Unlike big companies, small towns and cities often don’t have strong cybersecurity teams. Their systems may be outdated, and IT staff might not have the training or tools to stop advanced hackers.

That makes them easier targets for skilled groups like UAT-6382. The hackers knew this and took full advantage. It’s not about blaming the cities, it’s about understanding how attackers choose their victims and why small communities need better protection.

This Attack Could Impact Everyday Life

Cityworks helps run daily operations, like managing traffic signals, water pumps, and garbage collection. If those systems are compromised, it could delay or disrupt public services.

That means longer wait times for permits, missed utility readings, or even bigger issues like malfunctioning streetlights or water outages. The average person may not see a hacker at work, but they might feel the effects when things around the city stop working right.

The First Red Flags, What Experts Noticed

Cisco Talos started noticing odd behavior in early January 2025. It included strange network activity, unexpected file uploads, and software behaving in ways it shouldn’t. As they investigated, they found malware written in Simplified Chinese and traces of custom-built programs never seen before.

This wasn’t guesswork; they matched the activity to known hacker methods and traced it back to a specific flaw in Cityworks. That’s how they confirmed it was a coordinated attack, not just a glitch or mistake.

The Cobalt Strike Connection

One of the tools used in the attack is called Cobalt Strike. It was made to help cybersecurity teams test defenses, but now hackers use it to control infected computers. Once inside a system, Cobalt Strike lets attackers do just about anything: run programs, steal data, or open new backdoors.

It’s popular with cybercriminals because it’s powerful and hard to stop once it’s in place. In this case, it helped UAT-6382 stay connected to city systems for long periods without being seen.

How They Stayed Hidden For So Long

The attackers used tricks to avoid being detected by antivirus programs and monitoring tools. They hid inside trusted programs, ran silent commands, and kept their files out of sight.

They also carefully timed their actions to avoid setting off alarms. This helped them stay inside networks for weeks or even months. By the time anyone realized what was happening, the attackers had already gathered what they needed and installed multiple layers of hidden tools.

How The Government Responded

When the flaw was discovered, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) took immediate action. They told cities and federal agencies to install security patches by the end of February.

They also released a list of warning signs to help organizations figure out if they’d been hit. This included specific filenames, network patterns, and tools the hackers used. CISA’s fast response helped stop the attack from spreading further.

Patching The Problem And Fixing The Setup

Trimble, the company behind Cityworks, quickly released an update to fix the vulnerability. They told users to upgrade to versions 15.8.9 or 23.10 to stay safe.

They also warned that some cities had other risky settings, like giving too much access to certain system parts or misplacing files. Fixing the bug wasn’t enough; cities also had to double-check how their systems were set up and make sure they weren’t accidentally making things worse.

Signs Your City Might Have Been Affected

Cities that use older versions of Cityworks without the new patch are the most at risk. If strange activity shows up, like files suddenly moving, network slowdowns, or unknown logins, that could mean trouble.

Some cities might not even know they were targeted yet. That’s why Cisco shared technical clues, like file names and IP addresses, to help IT teams search for problems. Being alert now can prevent bigger issues down the road.

Why These Attacks Are Becoming More Common

Cybercriminals are learning that small government systems can open doors to big opportunities. These systems often connect to public utilities, emergency services, and even state-level networks.

With more tools available online, it’s getting easier for hackers to launch attacks from anywhere. That’s why cities need to treat cybersecurity like a top priority, not just an afterthought. It’s no longer about if they’ll be targeted, but when.

Curious how other systems are getting hit? See how hackers are targeting unpatched ServiceNow bugs.

Protecting The Systems That Keep Cities Running

The lesson from this attack is simple: cities need better protection. That means strong passwords, regular updates, staff training, and smart software settings.

Hackers are getting smarter every year, but so are the tools to stop them. With the right steps, local governments can protect their digital systems just like they protect streets, schools, and services. In today’s world, cybersecurity is part of keeping a community safe.

Want to see how mobile tech is stepping up, too? Check out how Android 16 boosts protection against USB hacks.

Think cybersecurity should be a bigger priority for local governments? Drop your thoughts in the comments and hit that like button if you agree.

Read More From This Brand:

• WhatsApp Under Siege by Russian Hackers
• Botnet Targets TP-Link Routers Thousands Hacked
• North Korean Hackers Lure Devs with Fake Challenges

Don’t forget to follow us for more exclusive content right here on MSN.

If you liked this story, you’ll LOVE our FREE emails. Join today and be the first to get stories like this one.

This slideshow was made with AI assistance and human editing.