RICHMOND, Virginia (AP) – A cyber espionage campaign accused of China went further than previously known, with suspected state-sponsored hackers exploiting a cyber security device to break into the computers of critical US companies.
The Pulse Connect Secure network device hack became known in April, but its scope is only now becoming clear. The Associated Press has learned that the hackers have targeted telecommunications giant Verizon and the country’s largest water authority. Earlier this month it was announced that New York City’s subway system, the largest in the country, had also been breached.
Security researchers say dozens of other high quality companies that have not yet been named were also attacked as part of the breach of Pulse Secure, which is used by many companies and governments to securely access their networks remotely.
It is unclear what sensitive information may have been accessed. Some of the victims said they saw no evidence of data theft. This uncertainty is common in cyber espionage, and it can take months before data loss is detected if it is ever discovered. Ivanti, the Utah-based owner of Pulse Connect Secure, declined to comment on the affected customers.
But even if sensitive information has not been compromised, experts say it is worrying that hackers have managed to gain a foothold in networks of critical organizations whose secrets may be of interest to China for commercial and national security reasons.
“The threat actors were able to gain access to some really high-profile organizations, some really well-protected,” said Charles Carmakal, chief technology officer at Mandiant, whose company first published the hacking campaign in April.
The Pulse Secure hack went largely unnoticed while a string of headline-making ransomware attacks exposed the cyber vulnerabilities in critical US infrastructure, including one in a large fuel pipeline that resulted in widespread bottlenecks at gas stations. The U.S. government is also still investigating the aftermath of the SolarWinds hacking campaign launched by Russian cyber spies, which infiltrated dozens of private sector companies and think tanks, as well as at least nine U.S. government agencies, and which lasted for most of 2020.
China has a long history of using the Internet to spy on the US and poses a “productive and effective cyber espionage threat,” the National Intelligence Director’s office said in its latest annual threat assessment.
Six years ago, Chinese hackers stole millions of background check files from federal government employees from the Human Resources Bureau. And last year, the Justice Department charged two hackers who allegedly worked with the Chinese government to defraud companies developing vaccines for the coronavirus and steal hundreds of millions of dollars’ worth of intellectual property and trade secrets from companies around the world .
The Chinese government has denied any role in the pulse hacking campaign and the US government has not made a formal attribution.
In the Pulse campaign, security experts said that sophisticated hackers took advantage of never-before-seen vulnerabilities to break in, and once inside they tried very carefully to cover their tracks.
“The skills are very strong and difficult to defend, and the victim profile is very significant,” said Adrian Nish, director of cyber at BAE Systems Applied Intelligence. “This is a very targeted attack on a few dozen networks, all of which are of national importance in one way or another.”
The Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) issued a warning about the Pulse hack in April, saying it was aware of “compromises made by a number of US government agencies, critical infrastructure and other private sector organizations affect”. The agency has since said that at least five federal agencies have identified evidence of possible unauthorized access, but haven’t said which ones.
Verizon said it had reached a Pulse-related tradeoff in one of its labs, but it was quickly isolated from its core networks. The company said no data or customer information was accessed or stolen.
“We know that bad actors try to compromise our systems,” said Verizon spokesman Rich Young. “This is why internet operators, private companies and all individuals must be vigilant in this area.”
Southern California’s Metropolitan Water District, which provides water for 19 million people and operates some of the largest wastewater treatment plants in the world, announced it had found a compromised Pulse Secure device after CISA issued its warning in April. Spokeswoman Rebecca Kimitch said the device was immediately taken out of service and no Metropolitan systems or processes were affected. She said there was “no known data exfiltration”.
The Metropolitan Transportation Authority in New York also said it had found no evidence of valuable data or stolen customer information. The violation was first reported by the New York Times.
Nish, the BAE security expert, said the hackers could have broken into networks but did not immediately steal data for various operational reasons. He compared it to a criminal who breaks into a house but stops in the hallway.
“It’s still pretty bad,” said Nish.
Mandiant said it found evidence of data extraction from some of the targets. The company and BAE have identified targets for the hacking campaign in several areas, including finance, technology, and defense companies, and local governments. Some of the destinations were in Europe, but most of them were in the United States
At least one major local government has denied being a target of the Pulse Secure hack. Montgomery County, Maryland, said it had been informed by CISA that its Pulse Secure devices were under attack. But district spokesman Scott Peterson said the district had found no evidence of a compromise and told CISA they had a “false report.”
CISA did not respond directly to the county’s statement.
The new details of the Pulse Secure hack come at a time of tension between the US and China. Biden has made reviewing China’s growth a top priority, saying the country’s ambition to become the richest and most powerful country in the world will “not come under my supervision.”
Copyright © 2021. All rights reserved. This website is not intended for users located within the European Economic Area.