China is behind a new series of hacks against key targets in the US government, private enterprises and the country’s critical infrastructure, cyber security firm Mandiant said on Wednesday.
The hack works by breaking into Pulse Secure, a program that companies often use to get remote workers to call their offices. The company announced on Tuesday how users can see if they are affected, but says the software update to avoid the risk to users will only disappear in May.
The campaign is the third clear and serious cyber espionage operation against the US announced in recent months, and highlights an already strained cyber security workforce. The U.S. government accused Russia in January of hacking nine government agencies through SolarWinds, a Texas-based software company widely used by U.S. businesses and government agencies. In March, Microsoft China blamed the start of a free-for-all where numerous different hackers broke into organizations around the world through the Microsoft Exchange email program.
In all three campaigns, the hackers first used the programs to hack into the victims’ computer networks, and then created backdoors to spy on them for months, if not longer.
The US Cyber Security and Infrastructure Agency, or CISA, said in a warning on Tuesday night that the latest hacking campaign is currently affecting US government agencies, critical infrastructure entities and other private sector organizations.
CISA activated its most stringent emergency forces Tuesday night and instructed every civilian government agency to investigate whether they were hit by the hood and to take steps to rectify it. Although it is historically rare to do so, it is the second time in seven weeks that the agency has issued an emergency guideline after the Exchange hack.
“In recent months, we have been issuing them with increasing frequency, which is definitely a concern and something we do not take lightly,” said Matt Hartman, the deputy executive assistant director of cybersecurity.
“We at CISA are very concerned,” he said.
Unlike the hacks on SolarWinds and Exchange, which both had tens of thousands of potential victims, there is little indication that China used Pulse to hit a wide range of targets. But the hack is particularly important because it has enabled China to gain months of access to several federal agencies and large U.S. companies, said Charles Carmakal, Mandiant’s chief technology officer.
“We are beginning to see a resurgence of espionage activities by the Chinese government,” he said.
None of the victims have yet been made public, though that is likely to change, Carmakal said.
“In the coming weeks and months, we will have a better idea of how big it is from a national security perspective,” he said.
As with the Exchange hack, China has waived but not denied responsibility. In an email, a spokesman for China’s US embassy in the United States, Liu Pengyu, said China was a “strong defender of cyber security” and strongly opposed and cracked down on all forms of cyberattacks.