A new series of hacks against the American government, private firms, and critical infrastructure has been discovered. The hack, which is said to be perpetrated by a China-backed group, worked by breaking through Pulse Connect, a program used by several businesses to enable employees to work remotely from their homes. Utah-based IT company Ivanti, which owns the Pulse Connect suite, said in a statement that the hackers had taken advantage of a flaw in the program to break into the systems of a “very limited number of customers.”
“We have discovered four issues, the bulk of which involve three vulnerabilities that were patched in 2019 and 2020… We strongly recommend that customers review the advisories and follow the recommended guidance, including changing all passwords in the environment if impacted… There is a new issue, discovered this month, that impacted a very limited number of customers. The team worked quickly to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system. We will be releasing a software update in early May,” said a Pulse Secure blog post.
Though Ivanti did not say who might be responsible for the breach, cybersecurity firm FireEye Inc. indicated two suspects – one group that operates at the behest of the Chinese regime. At the same time, the other is aligned with China-based initiatives and collections. Charles Carmakal, vice president of FireEye product Mandiant, said that connecting hackers with China was done after analysts reviewed the perpetrators’ tools, tactics, targets, and infrastructure, many of which bear similarity with previous China-linked breaches.
FireEye did not mention targets of the hackers other than the fact that they worked in areas like government departments, defense, and financial organizations. The group suspected of working on behalf of Beijing was specifically targeting the American defense industry. The Department of Homeland Security’s cyber arm revealed that it was working with Ivanti to understand potential vulnerabilities in the Pulse Secure VPN devices and reduce such risks.
Carmakal stated that the scale of the breach, from a national security perspective, will be ascertained in the coming weeks and months. This is the second hacking attempt identified with China in recent months. In March, Microsoft had blamed Chinese hackers for triggering a worldwide breach of thousands of organizations by taking advantage of vulnerabilities in the Microsoft Exchange email program.
The perpetrators broke into the victims’ networks and created backdoors that enabled the hackers to spy on them; this lasted for several months. Like with Microsoft Exchange, China has denied any responsibility for the recent Pulse Secure hack, with a spokesperson for the Chinese embassy in the United States stating that Beijing is a “staunch defender of cybersecurity.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about the Pulse Secure breach. The agency’s deputy executive assistant director of cybersecurity, Matt Hartman, said that CISA is very worried about the breach and that they have been issuing warnings with “increasing frequency” of late, which he says is “certainly a cause of concern.” In the warning, the agency mandated every civilian government agency to conduct a thorough scan of their systems to see whether they were affected by the hack and, if so, take appropriate actions to fix it.
“CISA has determined that this exploitation of Pulse Connect Secure products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of these vulnerabilities by threat actors in external network environments, the likelihood of the vulnerabilities being exploited, the prevalence of the affected software in the federal enterprise, the high potential for a compromise of agency information systems, and the potential impact of a successful compromise,” the agency said in a statement.
By April 23, 5 p.m. Eastern Daylight Time, all federal agencies are expected to do the following:
- Mention all instances of Pulse Connect Secure hardware and software in use by the agency or by a third party on behalf of the agency.
- Deploy and run the Pulse Connect Secure Integrity Tool for every identified instance.
- Install updates and other security measures as advised by the vendor within 48 hours.
- Submit a report to the CISA.
American network attacks
The expose of the American network attacks comes amidst reports that China’s PLA allegedly ordered a hacking group to carry out cyberattacks on hundreds of Japanese defense firms, research groups, and businesses. The report was put forward by Japan’s public broadcaster NHK and stated that the hacking attempts were conducted between 2016 and 2017. Among the targeted firms include the Japan Aerospace Exploration Agency (JAXA). Authorities have zeroed in on a Chinese man as a suspect who they say had leased some servers which were used to attack the space agency.
Cyberattacks in Japan
“The man, who is no longer in Japan, is said to be a computer engineer in his 30s. He allegedly rented servers five times under false names. Investigative sources say the servers’ ID and other credentials were then passed on to a Chinese hacker group known as “Tick.” Tokyo police suspect the Chinese People’s Liberation Army instructed Tick to stage cyberattacks in Japan. Sources say that about 200 companies and advanced research institutions, including Mitsubishi Electric and Keio University, were targeted,” states the NHK article. A spokesperson from JAXA stated that even though they had experienced unauthorized access, no data was leaked.
According to Iwai Hiroki, a cybersecurity expert, the hacking group ‘Tick’ works under the instructions of the Chinese military and national security officials. The group is believed to target entities involved in aerospace research and has been active since the early 2000s. Another Chinese man has also been identified to have used fake identities to rent numerous servers in Japan. He was apparently working with unit 61419, a bureau at the PLA in charge of cyberattacks. Located in Qingdao, the unit is tasked with conducting operations against South Korea and Japan.