According to security firm FireEye, a massive Chinese espionage operation against US and European government entities includes four new hacking tools and reaches more commercial sectors than previously reported.
Two China-linked gangs — as well as additional hackers that investigators did not name — have used virtual private network software in breaches affecting the transportation and telecommunications industries. The breaches had previously only been identified as affecting the defense, banking, and government sectors, according to the firm.
The intruders are using Pulse Connect Secure, a popular VPN product, to break into networks and steal critical data. According to Mandiant, FireEye's incident response arm, many of the hacked firms "operate in verticals and industries aligned with Beijing's strategic objectives" specified in the Chinese government's latest "Five Year Plan" for economic growth.
According to Sarah Jones, senior principal analyst at Mandiant Threat Intelligence, most of the breaches have been carried out by a group called UNC2630, which appears to work on behalf of the Chinese government. Four other pieces of malware are being used by the alleged Chinese hackers to collect data and cover their tracks.
In a blog post published Thursday, Mandiant analysts said, “Chinese cyber-espionage activity has shown a larger tolerance for risk and is less restrained by diplomatic considerations than previously characterized.”
In a separate incident disclosed by Microsoft in March, alleged Chinese spies used vulnerabilities in the Exchange Server software to steal email inboxes from U.S. firms. Some researchers said that the intrusions were unethical because the malicious code left on victims' systems could have been exploited by a variety of financially motivated criminals.
On Thursday, a request for comment on Mandiant's findings was not immediately answered by a representative for the Chinese Embassy in Washington, D.C. Beijing consistently denies carrying out cyberattacks.
Responding to the alleged Chinese attacks as well as a suspected Russian operation that used SolarWinds software has been a time-consuming process for US officials.
Pulse Connect Secure is used by at least 24 federal entities, with some national-security-focused research laboratories openly announcing the use of the software. According to a representative from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Pulse Connect Secure cyberattack may have compromised at least five civilian agencies.
According to the security firm, the claimed Chinese spies covered up traces of many of their hacks in some of the Pulse Connect breaches as Mandiant prepared to reveal the operation last month.
“The greater ambition and risk tolerance demonstrated by Chinese policymakers since 2019 indicate that the tempo of Chinese state-sponsored activity may increase in the near future and that the Chinese cyber threat apparatus presents a renewed and serious threat to U.S. and European commercial entities,” the Mandiant analysts alerted.
