April 29 - For the first time since the beginning of this year, the U.S. GovernmentU.S. Government is investigating a cyber attack on government agencies that began during the Trump administration but was only discovered recently, according to senior U.S. officials and the private sector cyber defenders.
It is the latest so-called supply chain cyber attack that reveals how wealthy, often security-backed groups are targeting sensitive software built by third parties as a stepping stone to government and corporate computer networks.
The new government breaches involve a popular virtual private network known as Pulse Connect Secure which hackers were able to break as its customers used it.
More than a dozen public agencies have Pulse Secure on their network, according to federal contract records.An insecure cybersecurity directive last week called agencies to report systems for related hacks and scanning back.
The results, collected on Friday and analyzed this week, demonstrate potential breaches in at least five federal civilian agencies, said Matt Hartman, a senior official with the U.S. Cybersecurity Infrastructure Security AgencyU.S. Cybersecurity Infrastructure Security Agency.
'This is a combination of economic espionage with an element of traditional theft, said one cybersecurity consultant familiar with the matter.'We have already confirmed data exfiltration across numerous environments.
Ivanti, the developer of Pulse Secure, Utah-based software company Ivanti, said that it expected to fix the problem by Monday, two weeks after it was first publicized.It had only a very limited number of customer systems added, penetrated.
Over the past two months, CISA and the FBI have been working with Pulse Secure and victims of the hack to uncover intruders and unveiled other evidence, says another senior U.S. official who declined to be identified but is responding to the attacks.The National Security Agency declined to comment about the FBI, Justice Department and the National Security Agency.
The U.S. government's investigation into Pulse Secure activity is still in its early stages, said the senior U.S. official, who adds that the scope, impact and attribution remains unclear.
Security researchers from the federal cybersecurity firm FireEye and another firm, which declined to be named, say that they've used multiple hacking groups, including an elite team they associate with China that exploited the new flaw and several others like it since 2019.
In a statement released last week, Chinuan said China cracks down and firmly opposes all forms of cyber attacks, describing FireEye's allegations as irresponsible and politically ill-intentioned.
The use of VPNs which create encrypted tunnels for connecting remotely to corporate networks has increased during the COVID-19 pandemic.However, with the growth in VPN use comes the associated risk too.
'This is another example of a recent pattern of cyber actors targeting vulnerabilities in widely used VPN products as our nation largely remains in remote and hybrid working postures, said Hartman.
Three cybersecurity consultants involved in responding to the hacks told Reuters that the victim list is weighted toward the United States and so far includes defense contractors, civil government agencies, solar energy firms, telecommunications firms and financial institutions.
The consultants also said they were aware of less than 100 combined victims so far between them, suggesting a fairly narrow focus by hackers.
Analysts believe the malicious operation began around 2019 and exploited different vulnerabilities in Pulse Secure and separate products made by the Fortinet software firm before exploiting the new vulnerabilities.
Hartman said that the civilian agencies hacks date back to at least June 2020.
A recent report by the Atlantic Council, a Washington think tank, has found 102 supply chain hacking incidents in the last three years and they have surged in recent year.Thirty of the attacks came from government-supported groups, mainly in China and Russia, the report said.
The Pulse Secure Response comes as the government is still grappling with the aftermath of three other cyber attacks.
The first is known as the SolarWinds hack in which suspected Russian government hackers designed the company's network management program to reemerge inside nine federal agencies.
A weakness in Microsoft's email server software, named Exchange, also requires a federal response effort, although there was ultimately no impact on specific Chinese networks, according to U.S. officials.
Then a weakness at a Maker of programming tools, Codecov exposed thousands of customers inside their coding environments, the company disclosed this month.
According to a source who reported on the investigation, some government agencies were among the clients for which the Codecov hackers demanded credentials for further access to code repositories or other data.Codecov, the FBI and the Department of Homeland Security declined to comment on this case.
The U.S. plans to address some of these digital issues with an upcoming executive order that will require agencies to promote their most critical software and identify a 'bill of materials' that demands a certain level of systemic security across products sold to the government.
'We think this is the most effective way to make lives harder on these adversaries and set it up that much more drastic, said the senior U.S. official.