Amid All The Ransomware Attacks, The Scope Of The Unnoticed Pulse Connect Hack Is Just Starting To Show

June 15, 2021

By a Biometrica staffer

It was in April that cybersecurity firm FireEye said on its Threat Research Blog that Chinese hackers suspected to be state-backed had exploited widely used networking devices for months to spy on dozens of high-value government, defense industry, and financial sector targets in the U.S. and Europe, according to the Associated Press. In its blog post, FireEye said it believed that two hacking groups linked to China broke into several targets via Pulse Connect Secure devices, which several companies and governments use for secure remote access to their networks.

Today, on June 15, the Associated Press reported that the cyberespionage campaign was more sweeping than previously known and its scope is only now starting to become clear. The Associated Press said it has learned that the hackers targeted telecommunications giant Verizon and the country’s largest water agency. But while ransomware attacks have been in the spotlight — and have even been given the same priority as terrorism, as reported by Reuters earlier this month — the Pulse Connect Secure devices attack has gone largely unnoticed.

This news comes even as U.S. officials are still grappling with the aftereffects of the SolarWinds hack, whose targets included the Treasury, Justice and Homeland Security departments. On May 28, Microsoft said the state-backed Russian cyber spies behind SolarWinds had launched a targeted phishing assault on U.S. and foreign government agencies and think-tanks that week, using an email marketing account of the US Agency for International Development (USAID), a Guardian report said. And it was only a few weeks before that when cybercriminals hacked into Colonial Pipeline. In June, a cyberattack on the largest global meat producer in the country, JBS SA, forced the shutdown of all its U.S. beef plants.

Security researchers said dozens of other high-value entities that have not yet been named were also targeted as part of the breach of Pulse Secure, according to today’s Associated Press article. It’s still unclear if any sensitive information was accessed as part of this hack, although some of the targets have said they haven’t seen any evidence of data being stolen.

Verizon said it found that one of its labs had been compromised in a Pulse-related incident, but that lab was quickly isolated from its core networks, and no data or customer information was accessed or stolen. The Metropolitan Water District of Southern California, which provides water to 19 million people and operates some of the largest treatment plants in the world, said it found a compromised Pulse Secure appliance after the Cybersecurity and Infrastructure Security Agency (CISA) issued its alert in April. There was “no known data exfiltration,” in this case either, the Associated Press report added.

Even so, experts say it is worrisome that hackers managed to gain footholds in networks of critical organizations whose secrets could be of interest to China for commercial and national security reasons. “The threat actors were able to get access to some really high-profile organizations, some really well-protected ones,” Charles Carmakal, the chief technology officer of Mandiant (FireEye) told Associated Press. The Chinese government has denied any role in the Pulse hacking campaign, and the U.S. government has not made any formal accusations.

After FireEye’s blog was published, CISA had issued an emergency directive on April 20 requiring federal civilian departments and agencies running Pulse Connect Secure products to assess and mitigate any anomalous activity or active exploitation detected on their networks. The directive also said that if mismatches or new files were found, the departments and agencies had to take mitigation actions, and contact CISA for potential incident response activities. On April 30, CyberScoop reported that the Justice Department was undertaking a four-month review of its approach to combatting a range of malicious cyber activity from foreign governments and criminals.

Only on June 2, news had broken that the New York Metropolitan Transportation Authority’s computer systems had been hacked into in April by a group believed to be linked to the Chinese government. The hackers did not gain access to systems that control train cars and rider safety was not at risk, the New York Times reported, but added that transit officials raised concerns that they could have entered those operational systems, or could continue to penetrate the agency’s computer systems through a back door. Two days later, the Director of the Federal Bureau of Investigation (FBI), Christopher Wray, said the agency was investigating about 100 different types of ransomware, many tracing back to hackers in Russia, according to a Wall Street Journal report.

In May, President Joe Biden issued an executive order aimed at improving the country’s cybersecurity. “The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy,” he said at the time.

Cyber threats from nation states and their surrogates will remain acute, the Office of the Director of National Intelligence (DNI) said in its 2021 Annual Threat Assessment report. “Although an increasing number of countries and nonstate actors have these capabilities, we remain most concerned about Russia, China, Iran, and North Korea. Many skilled foreign cybercriminals targeting the United States maintain mutually beneficial relationships with these and other countries that offer them safe haven or benefit from their activity,” the DNI report added.