According to a report by the cybersecurity company FireEye, two China-based hacker groups have exploited a VPN weakness to access US defense industry research.
The report shows hackers used previously Pulse Secure VPN’s known flaws, as well as a newly discovered one. The product is owned by Ivanti, a Utah-based company, and these chinks in its armor opened a backdoor to dozens of agencies and organizations within the defense sector.
In response, the US Department of Homeland Security urged network admins to scan for any signs of compromise and install the necessary solution by Ivanti once one is available.
“The other one we suspect is aligned with China-based initiatives and collections,” Charles Carmakal, vice president of Mandiant, a FireEye subsidiary. While linking cyberattacks to a specific country is often tenuous, Mandiant’s analysts showed that the tools, tactics, and targeted infrastructure resemble previous China-based intrusions. Carmakal also said, “These actors are highly skilled and have deep technical knowledge of the Pulse Secure product.”
Liu Pengyu, the Chinese Embassy spokesperson, said, “it is irresponsible and ill-intentioned to accuse a particular party when there is no sufficient evidence around.”
While FireEye named no explicit targets, it did identify the affected institutions as “defense, government, and financial organizations around the world,” with a specific focus on the US defense industry.
According to FireEye’s report, such intrusions began in August 2020. They are related to a group of hackers known as UNC2630 with ties to APT5 – a group previously associated with cyberattacks conducted for the Chinese government. Carmakal added that these bad actors used the US digital infrastructure naming conventions to hide their intrusion. It effectively made it look like an employee was logging in from home.
The Department of Homeland Security is working with Ivanti “to better understand the vulnerability in Pulse Secure VPN devices and mitigate potential risks to federal, civilian, and private sector networks.”
A breach at this level just goes to show how vital using VPN services from trusted providers is, as any vulnerabilities leave potential backdoors open for anyone trying to find them.