Dozens of U.S. Defense Agencies Compromised By Chinese-State Hackers

A recent report reveals that Chinese hackers allegedly infiltrated a company’s VPN technology to penetrate computer networks of the US defense industry sector.

Researchers connected the hacking incident to two threat actors, with one of them seemingly coming from an official Chinese-sponsored cyber-spying operation.

The threat actors used the malware to steal use and administrative identities and log into the systems of U.S. defense industry companies from October 2020 to March 2021, according to security consultant Mandiant.

The security firm also stated that financial companies and governments in Europe and the US were also targets of the hacking campaign.

FireEye security firm also commented on the hacking campaign, adding that it has compromised dozens of U.S. financial institutions, defense contractors, government agencies, and critical sectors.

The security team also stated that the campaign is still ongoing, and it represents the latest in a series of disturbing compromises of private companies and government agencies.

Investigation into the hacking incident started only recently, and only a few discoveries have been made. However, it has already been revealed that the threat actors infiltrated sensitive defense companies, according to FireEye.

This is different from the Russian SolarWinds attack that compromised 9 federal agencies but not any U.S. defense agencies or their contractors.

Even the Chinese operation that targeted Microsoft Exchange Email servers did not affect any U.S. government agency, unlike the recent malware campaign.

A  U.S. official, who wants to remain anonymous, stated that the investigation so far has not revealed any evidence that the Defense Department was affected by the attack.

For any hacking group to have succeeded in such a magnitude of attack to infiltrate highly sensitive security agencies, such a group would have to be sophisticated. And it proved so with this group. Preliminary investigation revealed that the hackers used “very advanced” tools to plant malware and in its steps to evade detection, according to the chief technology officer of Mandiant Charles Carmakal.

The hacking campaign concentrated on high-value targets with critical information to the Chinese government.

 “This looks like classic China-based espionage,” Carmakal stated, adding that the campaign involved the theft of project data and intellectual property.

The Chinese APT5 group linked to the attack have been connected to other similar attacks in the past involving telecommunications companies, defense contractors, and other critical sectors of the economy. The second group detected in the operation has not been completely identified. But FireEye says the security team will know better as an investigation into the campaign continues.

U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed the hacking campaign when it issued an alert on Tuesday. The agency stated that it was aware of the present threats and exploitation of software flaws within several U.S. private organizations, critical infrastructure entities, and government agencies.

FireEye and CISA explained that the vulnerabilities were found in Pulse Secure VPN servers that give the workers remote access to their employers’ networks. AS a result, the agency is urging any organization still using Pulse Secure to cry out an immediate upgrade to the latest software version. They should also run a tool the company has provided to find out whether their systems have already been compromised.

CISA also advised all civilian agencies to carry out the same upgrade to protect their systems from any unseen attack.

Pulse Secure, which has been bought by Ivanti, has also responded to the incident. The company stated that the hacking campaign affected only a “limited number” of customers.  It added that the company’s security team acted swiftly to provide direct mitigations to the affected customers.

On Wednesday, a White House spokesperson stated that CISA is managing the situation and is closely monitoring the incident. However, at the time of writing, the FBI has not commented on the incident.

FireEye says it saw some evidence that suggests the hacking incident started in June last year, but the entire campaign could have started before that. “We’re just limited to the forensic data available to us,” the security agency stated.