China is behind a newly discovered series of hacks against key targets in the U.S. government, private companies and the country’s critical infrastructure, cybersecurity firm Mandiant said Wednesday.
The hack works by breaking into Pulse Secure, a program that businesses often use to let workers remotely connect to their offices. The company announced Tuesday how users can check to see if they were affected but said the software update to prevent the risk to users won’t go out until May.
The campaign is the third distinct and severe cyberespionage operation against the U.S. made public in recent months, stressing an already strained cybersecurity workforce. The U.S. government accused Russia in January of hacking nine government agencies via SolarWinds, a Texas software company widely used by American businesses and government agencies. In March, Microsoft blamed China for starting a free-for-all where scores of different hackers broke into organizations around the world through the Microsoft Exchange email program.
In all three campaigns, the hackers first used those programs to hack into victims' computer networks, then created backdoors to spy on them for months, if not longer.
The U.S. Cybersecurity and Infrastructure Security Agency, or CISA, said in a warning Tuesday evening the latest hacking campaign is currently "affecting U.S. government agencies, critical infrastructure entities, and other private sector organizations."
CISA activated its strictest emergency powers Tuesday evening, mandating that every civilian government agency scan to see if they were affected by the hack and to take actions to fix it. Though it's historically rare for it to do so, it's the second time in seven weeks the agency has issued an emergency directive after the Exchange hack.
"In recent months we have issued them with increasing frequency, which is certainly a concern and something we don't take lightly," said Matt Hartman, the agency's deputy executive assistant director of cybersecurity.
"We at CISA are very concerned," he said.
Unlike the hacks on SolarWinds and Exchange, both of which had at least tens of thousands of potential victims, there's little indication that China used Pulse to hack a broad number of targets. But the hack is particularly significant because it enabled China to gain access to several federal agencies and major U.S. companies for months, said Charles Carmakal, Mandiant's chief technology officer.
"We're starting to see a resurgence of espionage activity from the Chinese government," he said.
None of the victims have yet been made public, though that will likely change, Carmakal said.
"In the coming weeks and months, we're going to have a better sense of how big of a deal this is from a national security perspective," he said.
As with the Exchange hack, China deflected but did not deny responsibility. In an emailed statement, a spokesperson for China’s embassy in the U.S., Liu Pengyu, said China is "a staunch defender of cyber security" and "firmly opposes and cracks down on all forms of cyber attacks."