The web-based software known as the Animal Health Emergency Reporting Diagnostic System, or USAHERDS, serves as a helpful digital tool for state governments to track and trace animal disease through populations of livestock. Now it’s turned out to be a kind of infection vector of its own—in the hands of one of China’s most prolific groups of hackers.

On Tuesday, the cybersecurity incident-response firm Mandiant revealed a long-running hacking campaign that breached at least six US state governments over the past year. Mandiant says the campaign, which it believes to have been the work of the notorious Chinese cyberespionage group APT41—also known as Barium, or as a part of the larger Chinese hacker group Winnti—used a vulnerability in USAHERDS to penetrate at least two of those targets. It may have hit many more, given that 18 states run USAHERDS on web servers, and any of those servers could have been commandeered by the hackers.

APT41 has gained a reputation as one of China’s most aggressive hacking groups. The US Department of Justice indicted five of its members in absentia in 2020 and accused them of hacking into hundreds of victims’ systems across Asia and the West, both for state-sponsored espionage and for profit. The group’s goal in this latest series of intrusions, or what data they may have been seeking, remains a mystery. But Mandiant analyst Rufus Brown says that it nonetheless shows just how active APT41 remains, and how inventive and thorough it’s been searching for any toehold that might allow them into yet another set of targets—even an obscure livestock management tool most Americans have never heard of.

“It’s very unnerving to see this group everywhere,” says Brown. “APT41 is going after any external-facing web application that can give them access to a network. Just very persistent, very continuous targeting.”

Late last year, Mandiant warned the developer of USAHERDS, a Pennsylvania-based company called Acclaim Systems, of a high-severity hackable bug in the app. The app encrypts and signs the data sent between PCs and the server running it using keys that are meant to be unique to every installation. Instead, the keys were hard-coded into the application, meaning they were the same for every server that ran USAHERDS. That meant that any hacker who learned the hard-coded key values—as Mandiant believes APT41 did during its reconnaissance of another, earlier victim’s network—could manipulate data sent from a user’s PC to the server to exploit another bug in its code, allowing the hacker to run their own code on the server at will. Mandiant says Acclaim Systems has since patched the USAHERDS vulnerability. (WIRED reached out to Acclaim Systems but didn’t receive a response.)

USAHERDS is hardly the only web app APT41 appears to have hacked as a way into its victims’ systems. Based on a series of incident response cases over the last year, Mandiant believes that the Chinese group has since at least May of last year been targeting US state governments by exploiting web applications that use a development framework called ASP.NET. At first, the group appears to have used a vulnerability in two such web apps, which Mandiant declined to name, to hack into two US state governments. Each of those apps was used solely by one of the two state agencies, Mandiant says.

But the next month, and continuing through the end of 2021, Mandiant saw the hackers move on to target USAHERDS as another means of entry. APT41 hacked USAHERDS first as way into one of the two state governments it had already targeted, and then to breach a third. Mandiant hasn’t confirmed that the same vulnerability was used to hack any other victims. Starting in December, Mandiant found that APT41 moved on to exploiting the widely publicized vulnerability in Log4j, the commonly used Apache logging framework, using it to breach at least two other US state governments.