Die Zeit, in a long and glum piece on the implications of the Log4shell vulnerability, points out that the term "affected" can be ambiguous, particularly when it appears in phrases like "not affected." What counts as "affected?" It's not necessarily synonymous with "attacked," "breached," or even "vulnerable." If you've had to devote time and resources to inventorying your software for a specific vulnerability, there's a sense in which you've "been affected," even if at the end of it all you've found nothing.
There have been reports of exploitation by both gangs and intelligence services: the crooks and spies have been up and at-em this week. Haaretz reports, citing sources at Check Point, that Iranian operators had by yesterday sought to compromise seven Israeli governmental and commercial targets using Log4shell exploits. Both Microsoft and Mandiant have warned of Chinese, and Iranian exploitation of the vulnerability, the Wall Street Journal sums up, adding that Microsoft also reports seeing North Korean and Turkish attempts to take advantage of Log4j. (The Chinese embassy in Washington told the Journal that they're opposed to “cyberattacks of any kind.” The embassy also pointed out that it was a Chinese company that first discovered the issue and disclosed it to Apache. In fairness to Beijing, they're right about that second point: Alibaba's Cloud Security Team found and reported the problem on November 24th.)
In some respects, however, nation-state exploitation seems almost a case of a dog not barking. The Journal quotes CrowdStrike's senior vice president of intelligence, Adam Meyers to that effect: “It’s a surprise it’s not more widespread. The question that everyone is asking is, ‘What aren’t we seeing?’” Mandiant also expects to see more nation-state exploitation: "We expect threat actors from additional countries will exploit it shortly, if they haven’t already. In some cases, state sponsored threat actors will work from a list of prioritized targets that existed long before this vulnerability was known. In other cases, they may conduct broad exploitation and then conduct further post-exploitation activities of targets as they are tasked to do so."
And one of those dogs that's not obviously barking? Well, not dogs, but in this case bears. Russian state actors, BGR observes, are noticeably not being mentioned in dispatches.
The CyberWire's latest coverage of Log4shell may be found on our site.