China is behind a recently discovered series of hacks against key targets in the US government, private companies and the country’s critical infrastructure, cybersecurity firm Mandiant said on Wednesday.
The hack works by breaking into Pulse Secure, a program that companies often use to allow workers to connect remotely to their offices. The company announced on Tuesday how users can check if they have been affected, but said that updating the software to prevent risk to users will not come out until May.
The campaign is the third distinct and severe cyberespionage operation against the US, made public in recent months, highlighting an already tense workforce in cybersecurity. The US government accused Russia in January of hacking nine government agencies through SolarWinds, a Texas-based software company widely used by US businesses and government agencies. In March, Microsoft blamed China for launching a for-for-all in which dozens of different hackers broke into organizations around the world through the Microsoft Exchange e-mail program.
In all three campaigns, hackers first used those programs to break into victims’ computer networks, then created backdoors to spy on them for months, if not longer.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a warning Tuesday night that the latest hacking campaign “affects U.S. government agencies, critical infrastructure entities and other private sector organizations.”
CISA activated its strictest emergency powers on Tuesday night, ordering each civilian government agency to scan to see if they were affected by the hack and take steps to fix the problem. Although it is rarely historical to do so, it is the second time in seven weeks the agency has issued an emergency directive after the Exchange hack.
“In recent months, we’ve issued them with increasing frequency, which is certainly a concern and something we don’t take lightly,” said Matt Hartman, the deputy director of the cybersecurity agency.
“We at CISA are very worried,” he said.
Unlike hacks on SolarWinds and Exchange, which had at least tens of thousands of potential victims, there are few indications that China used Pulse to hack a large number of targets. But the hack is particularly significant because it has allowed China to access several federal agencies and large US companies for months, said Charles Carmakal, Mandiant’s chief technology officer.
“We are beginning to see a resurgence of espionage activity by the Chinese government,” he said.
None of the victims have yet been made public, although that is likely to change, Carmakal said.
“In the coming weeks and months, we will have a better understanding of how big an agreement is from a national security perspective,” he said.
As in the case of the Exchange hack, China deviated, but did not deny its responsibility. In an e-mail statement, a spokesman for the Chinese embassy in the US, Liu Pengyu, said that China is “a strong defender of cyber security” and “strongly opposes and fights all forms of cyber attacks.”