China Silently Hacked Gov’t and Defense for a Year or More

After the Russian SolarWinds hack and the Chinese Exchange débâcle, here’s the third shoe to drop. And again it’s China being fingered by researchers.

By chaining security bugs in the Pulse Connect VPN, at least two APT groups have taken up residence in “dozens” of government agencies and defense contractors. Both are thought to be controlled by the Chinese Communist Party.

Evidence shows the hackers breaking in 10 months ago, with indications that they’ve been around for some time before that. In today’s SB Blogwatch, we can see where this is going.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: oldA vs. newB.

These Things Come In Threes

What’s the craic? Christopher Bing and Raphael Satter report—“China-linked hackers used VPN flaw to target U.S. defense industry”:

Irresponsible and ill-intentioned”

At least two groups of China-linked hackers have spent months using a previously undisclosed vulnerability in American virtual private networking devices to spy on the U.S. defense industry. … Utah-based IT company Ivanti said … the hackers took advantage of the flaw in its Pulse Connect Secure suite [and] that while mitigations were in place, a fix for the issue would be unavailable until early May.

Cybersecurity company FireEye … said it suspected that at least one of the hacking groups operates on behalf of the Chinese government. “The other one we suspect is aligned with China-based initiatives and collections,” said Charles Carmakal, [SVP] of Mandiant, an arm of Fireye. … “We are seeing pretty advanced tradecraft.”

The U.S. National Security Agency declined to comment. U.S. officials have repeatedly accused Chinese hackers of stealing American military secrets over the years through various means. … Chinese Embassy spokeperson Liu Pengyu said China “firmly opposes and cracks down on all forms of cyber attacks,” describing FireEye’s allegations as “irresponsible and ill-intentioned.”

How widespread is the problem? Ellen Nakashima and Aaron Schaffer say it’s in “dozens of government agencies [and] defense contractors”:

Critical zero day”

Sophisticated Chinese government hackers are believed to have compromised dozens of U.S. government agencies, defense contractors, financial institutions and other critical sectors. … The intrusions are ongoing … and are the latest in a series of disturbing compromises of government agencies and private companies.

The intruders breached sensitive defense companies. … That was not the case with the Russian SolarWinds campaign, which compromised nine federal agencies but not the Pentagon or its contractors. … The Defense Department is not known to have been compromised in the current campaign, but the investigation is still ongoing.

The Chinese group, sometimes known as APT5, has in the past victimized defense contractors, telecommunications companies and other critical sectors. … The hackers took advantage of a critical zero day … in Pulse Secure.

CISA said the hacks began in June or earlier. FireEye has evidence of intrusions dating to the summer but suspects they took place “well before that.” … At least a dozen U.S. government agencies have or recently had contracts for the popular software.

Yikes, so likely a year or so? Dan Perez, Sarah Jones, Greg Wood, Stephen Eckels tag-team thuswise—“Check Your Pulse”:

On behalf of the Chinese government”

UNC2630’s combination of infrastructure, tools, and on-network behavior appear to be unique, and we have not observed them during any other campaigns or at any other engagement. [But we] noted strong similarities to historic intrusions dating back to 2014 and 2015 and conducted by Chinese espionage actor APT5. We have also uncovered limited evidence to suggest that UNC2630 operates on behalf of the Chinese government. [And a] trusted third party has uncovered evidence connecting this activity to … APT5.

A combination of prior vulnerabilities and a previously unknown vulnerability … are responsible. … Pulse Secure’s parent company, Ivanti, released mitigations.

O RLY? Phil Richards, Ivanti CSO, sends this “Pulse Connect Secure Security Update”:

Releasing a software update”

We have discovered four issues, the bulk of which involve three vulnerabilities that were patched in 2019 and 2020: Security Advisory SA44101 (CVE-2019-11510), Security Advisory SA44588 (CVE-2020-8243) and Security Advisory SA44601 (CVE-2020-8260). We strongly recommend that customers review the advisories and follow the recommended guidance, including changing all passwords.

There is a new issue [which] impacted a very limited number of customers. The team worked quickly to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system. We will be releasing a software update in early May. Visit Security Advisory SA44784 (CVE-2021-22893) for more information.

Wait. Pause. So the exploit chain required an unpatched appliance? HildyJ feels déjà vu:

How many intelligence agencies knew?”

Pulse Secure VPN had patched severe vulnerabilities years ago and they were still being exploited today because some … ignored the warnings and the patches. Too many companies and governments are unwilling to devote time and money to security. As a result, it’s happened again and will happen again.

I wonder how many intelligence agencies knew of this vulnerability? I assume Pulse Secure VPN is on all their target lists.

Good question. OrangeTide thinks we need a “cyber arms treaty”:

Civilians a casualty of war”

The only way out of this mess is put the brakes on the cyber arms race. Treat attacks on civilian targets and infrastructure as terrorism. And severely restrict what operations are allowed. A military approach will only lead to an arms race of offense and defense, with the peaceful civilians a casualty of war.

Death to proprietary VPNs? So says fuzzyfuzzyfungus:

Magnificently ill-placed”

So do we have any fancy-special-sauce VPNs that haven’t been discovered running it APT-Persistence-Gateway mode in the past 18 months or so? … It just seems like the genre has been a bit of a bloodbath lately—with the obvious downside that VPN appliances are magnificently ill-placed things for an attacker to have a foothold in.

Your tax dollars at work? Your Neighbour explains how to get ahead in The Pentagon:

Hire idiots and buy bad software”

The problem is baked into our defense system: We prioritize outsourcing because it empowers Pentagon bureaucrats to spread dollars in targeted congressional districts. It avoids difficult problems of management and creates pseudo-security by “contracting” security requirements without any validation or true recourse in the event of failure.

[It’s] all about loyalty and perception, not actual ability. By design, private contractors have the expertise and the Pentagon is dependent on them, and no longer has the skills to make or do what’s necessary for security. … The people who hire idiots and buy bad software talk a good game, but they can’t tell good software from bad.

Meanwhile, riddle me this, Riddler876:


Having the misfortune of having to use pulse secure, this does not surprise me. It is garbage.

And Finally:

Old-skool-A vs. ASMR-pop-B

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Kremlin (cc:by)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 583 posts and counting.See all posts by richi