WASHINGTON — Sophisticated Chinese government hackers are believed to have compromised dozens of U.S. government agencies, defense contractors, financial institutions and other critical sectors, according to a private cybersecurity firm working with the federal government.
The intrusions are ongoing, the FireEye security company said, and are the latest in a series of disturbing compromises of government agencies and private companies.
The investigation is in its early stages but already has turned up evidence that the intruders breached sensitive defense companies, according to FireEye. That was not the case with the Russian Solar Winds campaign, which compromised nine federal agencies but not the Pentagon or its contractors, U.S. officials said.
And the recent discovery of a separate Chinese operation targeting Microsoft Exchange email servers — one that affected potentially more than 100,000 private-sector companies — did not hit U.S. government agencies.
The Defense Department is not known to have been compromised in the current campaign, but the investigation is still ongoing, said one U.S. official who spoke on the condition of anonymity because of the matter’s sensitivity.
The hacking group involved was “very advanced” in its steps to evade detection, said Charles Carmakal, chief technology officer of Mandiant, a division of FireEye. The campaign was targeted, focusing on high-value victims with information of value to the Chinese government, he said.
“This looks like classic China-based espionage,” Carmakal said. “There was theft of intellectual property, project data. We suspect there was data theft that occurred that we won’t ever know about.”
The Chinese group, sometimes known as APT5, has in the past victimized defense contractors, telecommunications companies and other critical sectors, he said.
FireEye also detected a second group involved in the hacking operation but could not tell whether that one was based in China or had government links, Carmakal said.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency acknowledged in an alert Tuesday that the agency was aware of “ongoing exploitation” of software flaws in servers at “U.S. government agencies, critical infrastructure entities, and private sector organizations.”
CISA and FireEye said that the flaws were in Pulse Secure virtual private network servers that enable employees to remotely access their company networks. CISA urged organizations using Pulse Secure to update to the latest software version and run a tool provided by the company to check for compromises.
Pulse Secure, which is now owned by Ivanti, issued a statement Tuesday saying a “limited number” of customers were affected. “The team worked quickly to provide mitigations directly” to the affected customers, it said.
The White House and FBI declined to comment.
CISA said the hacks began in June or earlier. FireEye has evidence of intrusions dating to the summer but suspects they took place “well before that,” Carmakal said. “We’re just limited to the forensic data available to us.”
The company first detected the private-sector intrusions earlier this year and notified the government “a few weeks ago,” he said. The hackers took advantage of a critical “zero day,” or previously unknown vulnerability in Pulse Secure, he said.
At least a dozen U.S. government agencies have or recently had contracts for the popular software, according to a Washington Post review.
They hackers were able to disguise their activity, CISA said, by using hacked devices such as internet routers in the vicinity of their victims’ locations. Most were in the United States, but some were in Europe, Carmakal said. They also disguised themselves by renaming their systems to masquerade as employees whose computers they hacked, he said.
There was far more concern about the Microsoft Exchange hack — U.S. national security adviser Jake Sullivan even tweeted out an alert urging organizations using the servers to patch “ASAP.” That was because the campaign was far more indiscriminate, affecting potentially any organization or business that ran the Exchange servers to host non-cloud email. The alarms moved enough organizations to patch their systems that the widespread damage some feared might result from the campaign has so far been avoided.
— — —
The Washington Post’s Tonya Riley contributed to this report.