Cisco Talos researchers have uncovered a sophisticated cyber espionage campaign targeting U.S. critical infrastructure through a previously unknown vulnerability in Trimble Cityworks, a widely-used municipal infrastructure management system. The attacks, attributed to the Chinese state-sponsored threat actor UAT-6382, demonstrate an alarming escalation in targeting local government facilities and utilities.
Technical Analysis of the Attack Vector
The threat actors leveraged CVE-2025-0994, a critical vulnerability in Trimble Cityworks, using a custom-built Rust-based malware loader. This sophisticated approach allowed them to deploy multiple post-exploitation tools, including Cobalt Strike beacons and the VSHell backdoor, establishing persistent access to compromised systems. The use of Rust programming language suggests an evolution in the attackers’ tactics, making their malware more difficult to detect and analyze.
Infrastructure Impact and Attack Attribution
The campaign primarily targeted municipal utility management systems, with investigators discovering multiple Chinese-language indicators within the deployed malware. The attack infrastructure included several specialized tools commonly associated with Chinese APT groups, including:
– AntSword web shell
– Modified versions of the Chopper web shell
– A custom TetraLoader variant built using MaLoader framework
Detection and Mitigation Measures
In response to this critical threat, Trimble released emergency security patches in early February 2025. CISA has mandated federal agencies to apply these updates within three weeks and added CVE-2025-0994 to its Known Exploited Vulnerabilities catalog. Organizations managing critical infrastructure in water treatment, energy distribution, and transportation sectors are strongly advised to implement these patches immediately.
This incident highlights the growing sophistication of state-sponsored cyber operations targeting critical infrastructure. Security professionals should implement comprehensive monitoring systems, regularly update security protocols, and maintain robust incident response plans. The involvement of a sophisticated APT group in targeting municipal infrastructure systems serves as a stark reminder of the critical importance of proactive cybersecurity measures in protecting essential public services.
