Stay Updated Icon

Subscribe to Our Tech & Career Digest

Join thousands of readers getting the latest insights on tech trends, career tips, and exclusive updates delivered straight to their inbox.

Suspected Chinese Hackers Exploited Zero-Day in Trimble Cityworks to Target US City Utilities, Talos Reports

8:53 AM   |   24 May 2025

Suspected Chinese Hackers Exploited Zero-Day in Trimble Cityworks to Target US City Utilities, Talos Reports

Suspected Chinese Hackers Exploited Zero-Day in Trimble Cityworks to Target US City Utilities, Talos Reports

In a stark reminder of the persistent and evolving threats facing critical infrastructure, Cisco's Talos threat intelligence group has revealed that a suspected Chinese state-sponsored hacking crew actively exploited a zero-day vulnerability in Trimble Cityworks, a widely used asset and work management platform, to breach US local government networks. The primary objective of these intrusions, according to Talos, was to gain access to and target utility management systems, raising significant concerns about the security of essential services across the United States.

The vulnerability in question, a deserialization flaw tracked as CVE-2025-0994, was present in Trimble Cityworks, a platform integral to the operations of numerous local governments, utilities, airports, and public works departments. Cityworks is designed to integrate closely with Geographic Information Systems (GIS), providing a comprehensive view and management capability for public assets and work orders, from road maintenance to water pipe repairs and electrical grid management. Its deep integration into the operational fabric of utilities makes it a high-value target for adversaries seeking to disrupt or surveil critical services.

The Vulnerability: CVE-2025-0994

Trimble officially disclosed and patched CVE-2025-0994 in early February. The vulnerability was rated with a CVSS v4 score of 8.6, classifying it as high severity. At the time of disclosure, Trimble warned that an authenticated user could potentially exploit the flaw to achieve Remote Code Execution (RCE) on a customer's Microsoft Internet Information Services (IIS) server hosting the Cityworks application. Deserialization vulnerabilities occur when an application deserializes untrusted data without proper validation, which can allow an attacker to inject malicious code or objects into the application's process, leading to arbitrary code execution. Such flaws are particularly dangerous as they can provide a direct pathway into the heart of a system.

Following Trimble's patch release, the US Cybersecurity and Infrastructure Security Agency (CISA) quickly added CVE-2025-0994 to its Known Exploited Vulnerabilities (KEV) catalog, confirming that the flaw was already under active exploitation in the wild. This rapid confirmation from CISA underscored the urgency for affected organizations to apply the available patches immediately. The fact that the vulnerability impacts systems running on Microsoft IIS, a web server platform that, while mature, still powers many enterprise applications, highlights the enduring risk posed by vulnerabilities in widely deployed, even older, software stacks.

Exploitation Before the Patch: A Zero-Day Scenario

What makes the Talos report particularly concerning is the timeline of the attacks. According to Talos researchers Asheer Malhotra and Brandon White, the suspected Chinese threat actors, tracked as UAT-6382, were exploiting the Cityworks vulnerability *before* Trimble released its official patch. This indicates that UAT-6382 was leveraging CVE-2025-0994 as a zero-day exploit, giving them a window of opportunity to compromise vulnerable systems before defenders were even aware of the threat or had a fix available. This pre-patch exploitation is a hallmark of sophisticated adversaries, often nation-state actors, who invest resources in discovering and weaponizing zero-day vulnerabilities in high-value targets.

The intrusions documented by Talos began as early as January, weeks before the February patch. This allowed UAT-6382 to gain a foothold in the networks of US local governing bodies. Upon initial access, the group engaged in typical post-exploitation activities, including extensive reconnaissance to map the network, identify systems of interest, and locate valuable data or access points. Their activities clearly showed a directed interest in systems specifically related to utilities management, confirming their strategic targeting.

The Threat Actor: UAT-6382 and Suspected Chinese Affiliation

Talos tracks the group responsible for these attacks as UAT-6382. While specific state affiliation is not definitively stated in the public summary, Talos assesses with high confidence that UAT-6382 is a Chinese-speaking threat actor. This assessment is based on a combination of factors, including the group's tactics, techniques, and procedures (TTPs), the specific tooling they deployed, their hands-on-keyboard activity observed during the intrusions, and the victimology – the targeting of US critical infrastructure, particularly utilities, which aligns with the strategic objectives often associated with Chinese state-sponsored cyber activities.

Chinese state-sponsored advanced persistent threat (APT) groups have long been known for targeting critical infrastructure globally, including in the United States. These campaigns often aim at espionage, gathering intelligence on infrastructure operations, capabilities, and dependencies. In some cases, the objective may also be pre-positioning within these networks to enable disruptive or destructive attacks during a future geopolitical crisis. The focus on utility management systems by UAT-6382 is consistent with these broader strategic goals.

Reports from various cybersecurity firms and government agencies, including CISA and the FBI, have repeatedly warned about Chinese state actors embedding themselves within US critical infrastructure networks. For instance, the activities of groups like Volt Typhoon, which has been linked to China and is known for targeting critical infrastructure, highlight the ongoing nature of this threat. The exploitation of a platform like Cityworks, which manages essential utility assets, fits squarely within this pattern of behavior.

Illustration depicting a shadowy figure interacting with network nodes
Suspected nation-state actors pose a significant threat to critical infrastructure. (Image credit: Wired)

Tools of the Trade: Webshells, Custom Malware, and RATs

To maintain persistence and facilitate their operations within compromised networks, UAT-6382 deployed a suite of tools. These included several webshells, which are malicious scripts or programs uploaded to a web server to provide remote administrative access. Talos observed the use of AntSword and chinatso/Chopper, both notorious webshells widely associated with Chinese-speaking threat actors. The presence of generic file uploaders containing messages written in Chinese further reinforced the attribution assessment.

Beyond standard webshells, the group also utilized more sophisticated custom malware. Notably, they deployed a custom Rust-based loader dubbed TetraLoader. This loader was generated using MaLoader, a malware-building framework reportedly written in Chinese and surfaced on GitHub in late 2024. MaLoader's capability to wrap shellcode into Rust binaries allows attackers to create payloads that can be more difficult for traditional security software to detect due to the characteristics of the Rust programming language and the custom nature of the resulting binaries.

TetraLoader was then used to deploy secondary payloads, including Cobalt Strike and VShell. Cobalt Strike is a legitimate penetration testing tool that is frequently misused by threat actors, including APTs, for post-exploitation activities such as lateral movement, reconnaissance, and command and control. VShell is described by Talos as a Go-based remote access tool (RAT), providing the attackers with persistent remote access to the compromised systems. The combination of widely available, powerful tools like Cobalt Strike and custom, potentially less detected malware like TetraLoader demonstrates a blend of sophistication and reliance on proven techniques common among state-sponsored groups.

The use of these specific tools, particularly those with clear links to Chinese development or prevalent use within Chinese-speaking cybercriminal and state-sponsored communities, provides strong indicators for attribution. The hands-on-keyboard activity observed by Talos researchers suggests that the group was actively navigating the compromised networks, performing targeted reconnaissance, and making deliberate decisions about which systems to pivot to, specifically focusing on those related to utility management.

Targeting Utilities: Strategic Implications

The explicit interest shown by UAT-6382 in pivoting to systems related to utilities management underscores the strategic importance of these targets. Utilities, encompassing water, power, gas, and wastewater systems, are fundamental to the functioning of modern society. Successful cyberattacks against these sectors can have cascading effects, leading to service disruptions, economic damage, and even risks to public health and safety.

Attacks on utility systems can serve multiple purposes for a nation-state adversary. Espionage is a primary motive, allowing the attacker to gain detailed knowledge of a nation's critical infrastructure – its layout, operational procedures, vulnerabilities, and dependencies. This intelligence can be invaluable for future planning, whether for further espionage or for potential disruptive actions. Pre-positioning malware or gaining persistent access within these networks allows an adversary to lie dormant, waiting for a signal to activate capabilities that could cause outages or physical damage during a time of heightened tension or conflict.

The use of a platform like Trimble Cityworks as an entry point is particularly concerning because these systems often bridge the gap between IT networks and operational technology (OT) or industrial control systems (ICS) that directly manage physical processes. While Cityworks itself is primarily an IT-layer asset management system, access to it can provide attackers with critical information about the OT environment, including asset locations, maintenance schedules, and potentially even configuration details, facilitating subsequent attacks deeper within the operational network.

The targeting of local government entities that manage utilities also highlights a potential vulnerability point. Smaller municipalities or utility districts may have fewer resources dedicated to cybersecurity compared to large national corporations, making them potentially softer targets for initial access before attackers move laterally towards more critical systems.

Diagram showing interconnected critical infrastructure systems
Critical infrastructure like utilities are increasingly targeted by sophisticated cyber adversaries. (Image credit: TechCrunch)

The Broader Landscape of Critical Infrastructure Threats

The Talos report on UAT-6382's activities is not an isolated incident but fits into a broader pattern of nation-state actors, particularly those linked to China, actively probing and compromising critical infrastructure networks globally. Cybersecurity agencies in the US and allied nations have issued numerous warnings over the past few years regarding these persistent threats.

For example, reports have detailed Chinese state-sponsored groups targeting energy pipelines, transportation systems, and communication networks. These campaigns often employ similar TTPs, including exploiting known or zero-day vulnerabilities in edge devices or widely used software, deploying webshells and custom malware for persistence, and conducting extensive internal reconnaissance. The goal is often described as 'pre-positioning' – establishing covert access that could be used for disruptive purposes in the future.

The focus on asset management systems like Cityworks adds another layer to this threat landscape. These systems hold comprehensive data about physical infrastructure, making them valuable intelligence targets. Compromising such a system could provide an adversary with blueprints of a utility's assets, maintenance history, and operational status, information that could be leveraged to plan highly targeted and effective disruptive attacks.

The ongoing nature of these attacks, even after public warnings and patching, underscores the challenges faced by defenders. Threat actors, especially well-resourced state-sponsored groups, are quick to adapt, find new vulnerabilities, and refine their techniques. The window between a vulnerability's discovery and its exploitation is shrinking, sometimes to zero days, as seen in the Cityworks case.

This dynamic requires a proactive and intelligence-driven defense strategy. Organizations managing critical infrastructure must prioritize vulnerability management, implement robust monitoring capabilities to detect post-exploitation activities, and leverage timely threat intelligence from sources like CISA and private security firms to stay ahead of emerging threats.

Cybersecurity threat intelligence dashboard
Threat intelligence is crucial for understanding and defending against sophisticated attacks. (Image credit: VentureBeat)

Mitigation and Defense Strategies for Critical Infrastructure

In light of attacks like those exploiting the Trimble Cityworks vulnerability, organizations operating critical infrastructure, particularly local governments and utilities, must prioritize cybersecurity defenses. Several key strategies are essential:

  • Vulnerability Management and Patching: Promptly applying security patches, like the one issued by Trimble for CVE-2025-0994, is the most critical step. Organizations must have a robust process for tracking vulnerabilities in their software and systems and applying updates as soon as they are available. Given the risk of zero-day exploitation, staying informed through vendor security advisories and government alerts (like CISA's KEV catalog) is paramount.
  • Asset Management and Visibility: Knowing what systems are on the network, including IT and OT assets and the software running on them (like Cityworks), is fundamental. Comprehensive asset inventories help identify potential targets and ensure that all vulnerable systems are accounted for during patching cycles.
  • Network Segmentation: Implementing strong network segmentation is vital to limit the lateral movement of attackers. Critical systems, especially those managing operational functions (OT/ICS), should be isolated from less sensitive IT networks. If a system like Cityworks is compromised on the IT side, segmentation can prevent attackers from easily pivoting to core operational controls.
  • Monitoring and Detection: Deploying robust security monitoring solutions (e.g., EDR, SIEM) is necessary to detect suspicious activity indicative of post-exploitation, such as the deployment of webshells, unusual process execution (like running Cobalt Strike or custom loaders), or attempts to access sensitive systems. Behavioral analysis can help spot deviations from normal network activity.
  • Threat Intelligence: Subscribing to and acting upon threat intelligence feeds from trusted sources (government agencies, cybersecurity firms) provides early warnings about emerging threats, exploited vulnerabilities, and attacker TTPs. This intelligence can help defenders proactively hunt for signs of compromise.
  • Incident Response Planning: Having a well-defined and practiced incident response plan is crucial. Knowing how to detect, contain, eradicate, and recover from a cyberattack can significantly reduce its impact.
  • Authentication and Access Control: While CVE-2025-0994 initially required authentication, ensuring strong authentication mechanisms (like multi-factor authentication) and least-privilege access controls for all systems, especially those managing critical assets, adds layers of defense.

The attack on Cityworks users highlights that even platforms designed to improve efficiency in managing physical infrastructure can become vectors for sophisticated cyberattacks. The interconnectedness of IT and OT systems in modern utilities means that a compromise in one area can quickly impact another, with potentially severe consequences.

Illustration of applying a digital patch to a system
Applying security patches promptly is a critical defense against known vulnerabilities. (Image credit: TechCrunch)

Conclusion

The report from Cisco Talos serves as a critical warning: US city utilities and local governments are firmly in the crosshairs of sophisticated, suspected nation-state adversaries. The exploitation of a zero-day vulnerability in a platform as fundamental as Trimble Cityworks demonstrates the attackers' capability to identify and weaponize flaws in software crucial to managing essential services. The clear focus on utility management systems by the UAT-6382 group, coupled with their use of tools linked to Chinese-speaking actors, reinforces concerns about strategic cyber espionage and potential pre-positioning for future disruptive actions against critical infrastructure.

Defending against such determined adversaries requires a multi-faceted approach. It begins with fundamental cybersecurity hygiene, including rigorous patching and vulnerability management, but must extend to proactive threat hunting, robust monitoring, and strategic network segmentation. Collaboration between government agencies like CISA and private sector threat intelligence firms like Talos is essential for sharing information and enabling timely defense.

As the digital and physical worlds become increasingly intertwined, the cybersecurity of critical infrastructure is no longer solely a technical challenge but a matter of national security and public safety. The attacks on Cityworks users are a stark reminder that the digital vulnerabilities in our infrastructure management systems can have very real-world implications, demanding continuous vigilance and investment in defense.