Chinese group attacking US government agencies through Pulse Secure

The threat actors are 'very advanced' in evading detection, according to security experts

Hackers with suspected links to China have been exploiting a security bug in Pulse Secure's VPN software, to compromise the networks of defence firms, government agencies and other institutions in the US and Europe.

Researchers at FireEye documented how an advanced persistent threat (APT) group used an authentication bypass zero-day, and other known flaws in Pulse Secure VPN, to steal account credentials and other confidential data belonging to organisations in the US defence sector.

The zero-day, indexed as CVE-2021-22893, is a critical remote code execution (RCE) bug discovered earlier this month, with a CVSS score of 10 / 10.

Charles Carmakal, chief technology officer of Mandiant, a division of FireEye, said that the threat group behind recent attacks is "very advanced" in evading detection, and appears to have links with China.

"This looks like classic China-based espionage," Carmakal said, adding, "there are some similarities between portions of this activity and a Chinese actor we call APT5.

"There was theft of intellectual property, project data. We suspect there was data theft that occurred that we won't ever know about."

The group is reportedly using about a dozen separate malware families, some enabling them to circumvent two-factor authentication and deploy backdoors on targeted devices.

FireEye said that some of the intrusions exploiting the new security flaw began as early as August 2020.

Researchers also detected a second group involved in the hacking operation, although there is not enough evidence to suggest that it had links with a government.

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about the case. It urged organisations using Pulse Secure's VPN software to update to the latest version, and to run the Pulse Connect Secure Integrity Tool to check for signs of compromise.

Pulse Secure, which is now owned by Ivanti, said a full patch to address the vulnerability will not be available until the beginning of May.

The company said that a 'limited number' of customers were affected in these attacks.

'The team worked quickly to provide mitigations directly' to the affected customers, it added.

The revelations represent the latest cybersecurity crisis to hit the US, following the SolarWinds cyber-espionage campaign in December last year. The US Treasury Department, the US Department of Commerce and several other federal agencies and private firms were compromised in that attack, which has been linked to Russia.

The SolarWinds hackers also breached email accounts belonging to the former acting head of the Department of Homeland Security (DHS) and senior members of the DHS's cybersecurity division (CSD).

Last week, the US Treasury Department sanctioned six Russian technology firms for aiding government hackers engaged in 'dangerous and disruptive cyber attacks'.

The Department said that these six firms have been developing infrastructure and tools, providing expertise, and carrying out malicious cyber activities on behalf of Kremlin intelligence services.