Suspected Chinese agents have been hacking US government agencies by exploiting a weakness in a VPN for months, report says

Bill Bostock
Updated ·3 min read
VPN logo
A VPN logo seen on a smartphone. Not related to this story. Omar Marques/SOPA Images/LightRocket via Getty Images

  • The FireEye cybersecurity firm said Tuesday that Pulse Secure VPN had been compromised since June 2020.

  • Researchers said "defense, government, and financial organizations around the world" were affected.

  • FireEye said it suspects the Chinese government-linked UNC2630 hacking group was behind it.

  • See more stories on Insider's business page.

Hackers with suspected ties to the Chinese government have been targeting US and international government departments, defense agencies, and financial institutions for months, researchers said Tuesday.

The cybersecurity firm FireEye reported that a VPN product from Pulse Secure had been compromised. CNN reported that the Pulse Secure VPN is widely used.

The hack began in June 2020 or earlier, the US Cybersecurity and Infrastructure Security Agency (CISA), an arm of the Department of Homeland Security, said in a Tuesday statement.

The VPN was used by "defense, government, and financial organizations around the world," FireEye said, without specifying further.

A US official told The Washington Post that the Department of Defense was not compromised.

FireEye said it believed that a hacking group known as UNC2630, which has links to the Chinese government, was behind the intrusion.

"We suspect UNC2630 operates on behalf of the Chinese government and may have ties to APT5," the authors said, referring to the APT5 hacking group that FireEye has previously linked to the Chinese government.

Charles Carmakal, FireEye's senior vice president, told Computer Weekly that UNC2630's primary goals were to maintain "long-term access to networks, collecting credentials, and stealing proprietary data."

The hackers were able to breach the Pulse Secure VPN product due to old vulnerabilities that were recently patched, FireEye said.

"We suspect some intrusions were due to the exploitation of previously disclosed Pulse Secure vulnerabilities from 2019 and 2020," the researchers wrote.

FireEye said UNC2630 deployed seven new malware tools to breach the product.

Pulse Secure also said in a Tuesday blog post that it was working to solve the issue in conjunction with CISA.

"The team has been working proactively with leading forensic experts and industry groups, including Mandiant/FireEye, CISA, and Stroz Friedberg, among others, to investigate and respond to the exploit behavior," the company said.

On Tuesday, the UK government's National Cyber Security Centre also published a statement about the hack, and urged any domestic customers to implement a workaround published by Pulse Secure immediately. The NCSC did not say whether any UK government agencies or private organizations had been affected by the hack.

The US regularly accuses China of trying to steal state secrets, accusations that officials in Beijing have denied.

Last month, White House warned that China was behind the recent hack of Microsoft's Exchange email product and, last July, the US accused Chinese hackers of trying to steal information related to Moderna's COVID-19 vaccines.

In 2017, the Justice Department concluded that Chinese hackers had stolen the personal information of 145 million Americans after accessing the Equifax credit reporting agency.

Pulse Secure products have been targeted by suspected Chinese hackers before.

In September 2019, ZDNet reported that VPN servers run by Fortinet and Pulse Secure were being targeted by the APT5 hacking group.

Read the original article on Business Insider