According to senior officials in the United States government and private sector cyber defenders, the United States government is currently investigating a hack against federal agencies for at least the third time since the beginning of this year. The hack reportedly began during the administration of President Trump but was only recently discovered.
It is the most recent instance of what is known as a supply chain cyberattack, and it highlights the way that sophisticated groups, which are frequently backed by governments, are targeting vulnerable software developed by third parties as a stepping stone to sensitive government and corporate computer networks.
Hackers were able to penetrate a widely used virtual private network (VPN) known as Pulse Connect Secure, which was used by consumers, as part of the recently discovered data breaches involving the government.
According to publicly available contract records, more than a dozen different federal agencies use Pulse Secure on their internal networks. Last week, an emergency directive about cybersecurity required government agencies to conduct system scans and disclose any associated compromises they discovered.
According to Matt Hartman, a senior official with the United States Cybersecurity Infrastructure Security Agency, the results, which were collected on Friday and examined this week, show evidence of potential breaches in at least five federal civilian agencies’ information systems.
According to the assessment of one cybersecurity professional who is familiar with the situation, “this is a blend of traditional espionage with some aspect of economic robbery.” We have previously proven the exfiltration of data across a variety of different contexts.
Ivanti, the software firm that developed Pulse Secure and is based in Utah, stated that it anticipated providing a patch to correct the problem by this coming Monday, which is exactly two weeks after it was originally made public. According to what was added, only a “very restricted number of customer systems” had been compromised.
CISA and the FBI have been working with Pulse Secure and victims of the intrusion over the past two months to evict the intruders and find other evidence, according to another senior official in the United States who is reacting to the hacks but who declined to give their identity. The Federal Bureau of Investigation, the Department of Justice, and the National Security Agency all declined to comment.
The investigation into the Pulse Secure activity being conducted by the United States government is still in its early stages, according to the senior official from the United States, who noted that the scope, impact, and attribution remain unknown.
Researchers at the United States-based cybersecurity firm FireEye and at another company, the names of which were not disclosed, say that since 2019, they have observed multiple hacking groups, including an elite team that they associate with China, exploiting the newly discovered flaw as well as several others that are similar to it.
The spokesperson for the Chinese Embassy, Liu Pengyu, issued a statement last week in which she said that China “firmly opposes and cracks down on all sorts of cyber attacks.” She also referred to the charges made by FireEye as “irresponsible and ill-intentioned.”
During the COVID-19 pandemic, there has been a meteoric rise in the number of people connecting to business networks through the use of virtual private networks, sometimes known as VPNs. However, as the use of VPNs has increased, so has the risk that is linked with them.
“This is another example in a recent pattern of cyber actors targeting vulnerabilities in widely used VPN products as our nation continues to largely remain in remote and hybrid work postures,” said Hartman. “[T]his is another example in a recent pattern of cyber actors targeting vulnerabilities in widely used VPN products.”
Three cybersecurity consultants who are involved in the response to the hacks told Reuters that the victim list is weighted toward the United States and so far includes defence contractors, civilian government agencies, solar energy companies, telecommunications firms, and financial institutions. This information was provided by the consultants who are responding to the hacks.
The consultants also stated that they were aware of less than one hundred victims between all of them, which suggests that the hackers have been concentrating on a rather restricted target.
Analysts believe the malicious operation started about 2019 and used existing holes in Pulse Secure and other products provided by Fortinet, a company that specialises in cybersecurity, before activating the new vulnerabilities.
According to Hartman, the cyberattacks on the civilian agencies go back to at least June of 2020.
HACKING THE SUPPLY
A recent study conducted by the Atlantic Council, a think tank located in Washington, looked at 102 instances of supply chain hacking and found that they have increased significantly over the past three years. According to the research, thirty of the attacks originated from government-backed groups, especially in the countries of Russia and China.
The government is still dealing with the impact from three additional cyberattacks at the time when the Pulse Secure response has been implemented.
The first incident is known as the SolarWinds hack, and it is believed that hackers working for the Russian government took control of the company’s network management tool and used it to penetrate nine different federal departments.
A separate group of Chinese hackers found and exploited a vulnerability in the email server software known as Exchange that was developed by Microsoft. This flaw also necessitated a massive response effort, but ultimately, there was no impact to federal networks, according to officials in the United States.
This month, the software development company that makes the programming tools known as Codecov announced that a flaw in their system left thousands of users vulnerable within their own coding environments.
According to a person who has been briefed on the inquiry, the customers who had the Codecov hackers take credentials for further access to code repositories or other material included certain government entities. On that particular investigation, Codecov, the FBI, and the Department of Homeland Security all declined to comment.
The United States plans to address some of these systemic issues with an upcoming executive order. The order will require government agencies to identify the software that is most important to them, and it will promote a “bill of materials” that mandates a certain level of digital security for all products that are sold to the government.
According to the senior official of the United States, “We think that [this is] the most powerful method to truly impose costs on these adversaries and make it that much harder.”