Chinese hackers behind VPN attack on US defence firms: security experts
Mandiant linked at least two hacking groups, one of them believed to be an official Chinese cyber-spying operation, to malware used to exploit vulnerabilities in VPN security devices made by Pulse Secure, owned by Utah-based Ivanti.
The group used the malware to try to hijack user and administrator identities and enter the systems of US defence industry companies between October 2020 and March 2021, Mandiant said.
It said that governments and financial firms in the US and Europe were also targeted. It called one of the hacking groups UNC2630. "We suspect UNC2630 operates on behalf of the Chinese government and may have ties to APT5," it said, referring to a known Chinese state-sponsored hacking group.
It said a "trusted third party" also tied the hacking to APT5. "APT5 persistently targets high-value corporate networks and often re-compromises networks over many years. Their primary targets appear to be aerospace and defence companies located in the US, Europe, and Asia," Mandiant said.
It said it did not have enough information to identify who was behind some of the malware. There was no assessment of how many companies were affected or what the hackers did with their access to the networks. Pulse confirmed the main parts of the Mandiant report, saying that it had already released fixes to its products to block the malware. Pulse said the hackers impacted "a limited number of customers."