Washington: Sophisticated Chinese government hackers are believed to have compromised dozens of US government agencies, defence contractors, financial institutions and other critical sectors, according to a private cyber security firm working with the American government.
The intrusions are ongoing, the FireEye security company said, and are the latest in a series of disturbing compromises of government agencies and private companies.
The investigation is in its early stages but already has turned up evidence that the intruders breached sensitive defence companies, according to FireEye. That was not the case with the Russian SolarWinds campaign, which compromised nine federal agencies but not the Defence Department (the Pentagon) or its contractors, US officials said.
Defence contractors used by the Pentagon, but not the Defence Department itself, suffered hacks, security researchers said.Credit:AP
And the recent discovery of a separate Chinese operation targeting Microsoft Exchange email servers – one that affected potentially more than 100,000 private-sector companies – did not hit US government agencies.
The Defence of Defence is not known to have been compromised in the current campaign, but the investigation is still ongoing, said one US official who spoke on the condition of anonymity because of the matter’s sensitivity.
The hacking group involved was “very advanced” in its steps to evade detection, said Charles Carmakal, chief technology officer of Mandiant, a division of FireEye. The campaign was targeted, focusing on high-value victims with information of value to the Chinese government, he said.
“This looks like classic China-based espionage,” Carmakal said. “There was theft of intellectual property, project data. We suspect there was data theft that occurred that we won’t ever know about.”
The Chinese group, sometimes known as APT5, has in the past victimised defence contractors, telecommunications companies and other critical sectors, he said.
FireEye also detected a second group involved in the hacking operation but could not tell whether that one was based in China or had government links, Carmakal said.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency acknowledged in an alert on Tuesday that the agency was aware of “ongoing exploitation” of software flaws in servers at “US government agencies, critical infrastructure entities, and private sector organisations.”
US Homeland Security acknowledged several agencies have suffered cyber intrusions.Credit:AP
CISA and FireEye said that the flaws were in Pulse Secure virtual private network servers that enable employees to remotely access their company networks. CISA urged organisations using Pulse Secure to update to the latest software version and run a tool provided by the company to check for compromises.
Pulse Secure, which is now owned by Ivanti, issued a statement saying a “limited number” of customers were affected. “The team worked quickly to provide mitigations directly” to the affected customers, it said.
The White House and FBI declined to comment.
CISA said the hacks began in June 2020 or earlier. FireEye has evidence of intrusions then but suspects they took place “well before that,” Carmakal said. “We’re just limited to the forensic data available to us.”
The company first detected the private-sector intrusions earlier this year and notified the government “a few weeks ago,” he said. The hackers took advantage of a critical “zero day”, or previously unknown vulnerability, in Pulse Secure.
At least a dozen US government agencies have or recently had contracts for the popular software, according to a Washington Post review.
The hackers were able to disguise their activity, CISA said, by using hacked devices such as internet routers in the vicinity of their victims’ locations. Most were in the United States, but some were in Europe, Carmakal said. They also disguised themselves by renaming their systems to masquerade as employees whose computers they hacked, he said.
There was far more concern about the Microsoft Exchange hack – US national security adviser Jake Sullivan even tweeted an alert urging organisations using the servers to patch “ASAP”. That was because the campaign was far more indiscriminate, affecting potentially any organisation or business that ran the Exchange servers to host non-cloud email. The alarms moved enough organisations to patch their systems that the widespread damage some feared might result from the campaign has so far been avoided.
The Washington Post
Most Viewed in World
From our partners
Source: Read Full Article