China is behind a newly discovered series of hacks against key targets in the US government, private companies and the country’s critical infrastructure, cybersecurity firm Mandiant said Wednesday.
The hack works by breaking into Pulse Secure, a program that companies often use to allow employees to remotely connect to their office. The company announced on Tuesday how users can check if they have been affected, but said the software update to avoid the risk to users will not be released until May.
The campaign is the third clear and serious cyber-espionage operation against the US made public in recent months, highlighting an already tense cybersecurity workforce. In January, the US government accused Russia of hacking into nine government agencies through SolarWinds, a Texas software company widely used by US companies and government agencies. In March, Microsoft blamed China for launching a free program where dozens of different hackers hacked into organizations around the world through the Microsoft Exchange email program.
In all three campaigns, the hackers first used those programs to hack victims’ computer networks, then created back doors to spy on them for months, if not longer.
The US Cybersecurity and Infrastructure Security Agency, or CISA, said in a warning Tuesday evening that the latest hacking campaign is currently “hitting US government agencies, critical infrastructure entities and other private organizations.”
CISA activated its strictest emergency powers on Tuesday evening, requiring every civilian government agency to scan to see if they had been affected by the hack and take action to resolve the issue. While historically rare to do so, it’s the second time in seven weeks that the agency has issued an emergency directive following the Exchange hack.
“In recent months, we’ve been issuing them more and more, which is certainly a concern and something we don’t take lightly,” said Matt Hartman, the agency’s deputy executive assistant director of cybersecurity.
“We at CISA are very concerned,” he said.
Unlike the hacks on SolarWinds and Exchange, both of which had at least tens of thousands of potential victims, there is little evidence that China used Pulse to hack a host of targets. But the hack is especially important because it allowed China to access several federal agencies and major US companies for months, said Charles Carmakal, Mandiant’s chief technology officer.
“We are starting to see a revival of the Chinese government’s espionage activities,” he said.
None of the victims have been made public so far, although that is likely to change, Carmakal said.
“In the coming weeks and months, we will get a better idea of how important this is from a national security point of view,” he said.
As with the Exchange hack, China deviated but did not deny responsibility. In an emailed statement, a spokesman for the Chinese Embassy in the US, Liu Pengyu, said that China is “a staunch defender of cyber security” and “strongly opposes and fights against all forms of cyber-attacks.”