China-linked hackers used Pulse Secure flaw to target US defense industry - researchers

At least two groups of China-linked hackers have spent months using a previously undisclosed vulnerability in American networking devices to spy on the US defense industry, researchers and the devices' manufacturer said Tuesday.

Utah-based IT company Ivanti said in a statement that the hackers took advantage of the flaw in its Pulse Connect Secure suite of virtual private networking devices to break into the systems of "a very limited number of customers."

Ivanti said https://kb.pulsesecure.net/pkb_mobile#article/l:en_US/SA44784/s that while it was taking steps to mitigate the compromises a fix for the issue would not be available until early May.

Ivanti provided no detail about who might be responsible for the espionage campaign but, in a report timed to Ivanti's announcement, cybersecurity company FireEye said it suspected that at least one of the hacking groups operates on behalf of the Chinese government.

"The other one we suspect is aligned with China-based initiatives and collections," FireEye's Charles Carmakal said ahead of the report's release.

Tying hackers to a specific country is fraught with uncertainty, but Carmakal said his analysts' judgment was based on an analysis of the hackers' tactics, tools, infrastructure, and targets - many of which echoed past China-linked intrusions.

China's Embassy in Washington did not immediately respond to a request seeking comment. Beijing routinely denies carrying out hacking operations.

FireEye declined to name the hackers' targets, identifying them only as "defense, government, and financial organizations around the world." It said the group of hackers suspected of working on Beijing's behalf were particularly focused on the US defense industry.

In a statement, the cyber arm of the Department of Homeland Security said it was working with Ivanti "to better understand the vulnerability in Pulse Secure VPN devices and mitigate potential risks to federal civilian and private sector networks."

The US National Security Agency did not immediately return messages seeking comment. US officials have repeatedly accused Chinese hackers of stealing American military secrets over the years through a variety of means.

Lately networking devices - which can be hard for companies to monitor - have emerged as a favored avenue for digital spies.

In 2020 FireEye warned https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-glo... that Beijing-aligned hackers were targeting devices manufactured by Citrix and Cisco to break into a host of companies in what it described as one of the broadest campaigns by a Chinese actor that it had seen in years.

The timing of the latest series of hacks wasn't made explicit, although FireEye's report said that it investigated them "early this year."

Carmakal added that the hackers were operating from US digital infrastructure and borrowing the naming conventions of their victims to camouflage their activity so they would look like any other employee logging in from home.

"We are seeing pretty advanced tradecraft," he said.