China-linked hackers used software flaws to target US federal agencies

The Cybersecurity and Infrastructure Security Agency of United States has confirmed that several federal agencies were compromised by a threat actor last year through vulnerabilities found in virtual private networking software made by Pulse Connect Secure.

Ivanti, the parent company of the Pulse Connect Secure product line, said in a security update that they are working with CISA, FireEye, and Stroz Friedberg to investigate and respond to the exploit. In addition, the company is offering a tool for customers to use to test their appliances. Customers can also reach out to Ivanti for testing help and support.

Ivanti Inc said in a statement the hackers took advantage of the flaw in its Pulse Connect Secure suite to break into the systems of “a very limited number of customers.”

Ivanti said that while mitigations were in place, a fix for the issue would be unavailable until early May.

Ivanti provided no detail about who might be responsible for the espionage campaign but, in a report timed to Ivanti’s announcement, cybersecurity company FireEye Inc said it suspected that at least one of the hacking groups operates on behalf of the Chinese government.

“The other one we suspect is aligned with China-based initiatives and collections,” said Charles Carmakal, a senior vice president of Mandiant, an arm of Fireye, ahead of the report’s release.

Tying hackers to a specific country are fraught with uncertainty, but Carmakal said his analysts’ judgment was based on a review of the hackers’ tactics, tools, infrastructure and targets – many of which echoed past China-linked intrusions.

Chinese Embassy spokesperson Liu Pengyu said China “firmly opposes and cracks down on all forms of cyberattacks,” describing FireEye’s allegations as “irresponsible and ill-intentioned.”

FireEye declined to name the hackers’ targets, identifying them only as “defence, government, and financial organizations around the world.” It said the group of hackers suspected of working on Beijing’s behalf were particularly focused on the U.S. defence industry.

In a statement, the cyber arm of the Department of Homeland Security said it was working with Ivanti “to better understand the vulnerability in Pulse Secure VPN devices and mitigate potential risks to federal civilian and private sector networks.”

The US National Security Agency declined to comment. U.S. officials have repeatedly accused Chinese hackers of stealing American military secrets over the years through various means.

Lately, networking devices, which can be hard for companies to monitor, have emerged as a favoured avenue for digital spies.

In 2020 FireEye warned that Beijing-aligned hackers were targeting devices manufactured by Citrix Systems Inc and Cisco Systems Inc to break into a host of companies in what it described as one of the broadest campaigns by a Chinese actor that it had seen in years.

The timing of the latest series of hacks was not made explicit, although FireEye’s report said it investigated them “early this year.”

Carmakal added that the hackers were operating from U.S. digital infrastructure and borrowing the naming conventions of their victims to camouflage their activity so they would look like any other employee logging in from home.

“We are seeing pretty advanced tradecraft,” he said.

(With inputs from agencies)