Advertisement

MWD among targets in large-scale cyber-espionage hack blamed on China

Icon for Pulse Secure smartphone app
The smartphone app of Pulse Secure, which is used by numerous companies and governments for secure remote access to their networks.
(Associated Press)
Share via

A cyber-espionage campaign blamed on China was more sweeping than previously known, with suspected state-backed hackers exploiting a device meant to boost internet security to penetrate the computers of critical U.S. entities.

Among the suspected targets was the Metropolitan Water District of Southern California, which provides water to 19 million people and operates some of the largest treatment plants in the world.

The hack of Pulse Connect Secure networking devices came to light in April, but its scope is starting to become clear only now. The Associated Press has learned that the hackers targeted telecommunications giant Verizon, and security analysts say dozens of other high-value entities that have not yet been named were also targeted as part of the breach of Pulse Secure, which is used by many companies and governments for secure remote access to their networks. News broke earlier this month that the New York subway system, the country’s largest, was breached.

Advertisement

The MWD said it found a compromised Pulse Secure appliance after an alert about the hacking campaign was issued in April by the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency, or CISA. Rebecca Kimitch, a spokeswoman for the MWD, said that the compromised appliance was immediately removed from service and that none of the agency’s systems or processes was known to have been affected.

Kimitch said there was “no known data exfiltration.”

It’s unclear what sensitive information, if any, was accessed in the widespread hacking campaign, which security analysts said went after targets in several fields, including financial, technology and defense firms, as well as municipal governments. Some targets were in Europe, but most were in the U.S.

Microsoft says Russian-backed SolarWinds hackers launched a targeted spear-phishing assault on U.S. and foreign government agencies and think tanks.

The Chinese government has denied any role in the Pulse Secure hacking campaign, and the U.S. government has not made any formal attribution. The new details of the hack come amid rising tension between Washington and Beijing. Biden has made checking China’s rising influence a top priority, including on his current tour to meet European and NATO leaders, and said the country’s ambition of becoming the wealthiest and most powerful nation in the world is “not going to happen under my watch.”

Advertisement

Some of the targets of the Pulse Secure hack said they did not see any evidence of data being stolen. That uncertainty is common in cyber-espionage, and it can take months to determine data loss, if it is ever discovered. Ivanti, the Utah-based owner of Pulse Connect Secure, declined to comment on which customers were affected.

Even if sensitive information wasn’t compromised, experts say it is worrisome that hackers managed to gain footholds in networks of critical organizations with secrets that could be of interest to China for commercial and national security reasons.

“The threat actors were able to get access to some really high-profile organizations, some really well-protected ones,” said Charles Carmakal, the chief technology officer of Mandiant, whose company first publicized the hacking campaign in April.

Advertisement

U.S. officials are scrambling to reinforce the nation’s cyber defenses following a sweeping hack that may have exposed government and corporate secrets to Russia.

The Pulse Secure hack has largely gone unnoticed while a series of headline-grabbing ransomware attacks have highlighted the cyber vulnerabilities to U.S. critical infrastructure, including one on a major fuels pipeline that prompted widespread shortages at gas stations. The U.S. government is also still investigating the fallout of the SolarWinds hacking campaign launched by Russian cyberspies, which infiltrated dozens of private companies and think tanks as well as at least nine U.S. government agencies and went on for most of 2020.

China has a long history of using the internet to spy on the U.S. and presents a “prolific and effective cyber-espionage threat,” the Office of the Director of the National Intelligence said in its most recent annual threat assessment.

Six years ago, Chinese hackers stole millions of background-check files of federal government employees from the Office of Personnel Management. Last year, the Justice Department charged two hackers who it said worked with the Chinese government to target firms developing COVID-19 vaccines and stole hundreds of millions of dollars’ worth of intellectual property and trade secrets from companies across the world.

In the Pulse Secure campaign, security experts said sophisticated hackers exploited never-before-seen vulnerabilities to break in and were hyper-diligent in trying to cover their tracks once inside.

China hacker’s angst opens a window onto cyber-espionage

“The capability is very strong and difficult to defend against, and the profile of victims is very significant,” said Adrian Nish, the head of cyber at BAE Systems Applied Intelligence. “This is a very targeted attack against a few dozen networks that all have national significance in one way or another.”

In its April alert about the hack, cybersecurity agency CISA said it was aware of “compromises affecting a number of U.S. government agencies, critical infrastructure entities, and other private sector organizations.” The agency has since said that at least five federal bodies identified signs of potential unauthorized access, but it did not name the five.

Advertisement

Verizon said that it found a Pulse-related compromise in one of its labs but that it was quickly isolated from its core networks. The company said no data or customer information was accessed or stolen.

“We know that bad actors try to compromise our systems,” said Verizon spokesman Rich Young. “That is why internet operators, private companies and all individuals need to be vigilant in this space.”

The Metropolitan Transportation Authority in New York said it had not found evidence of valuable data or customer information having been stolen. That breach was first reported by the New York Times.

Nish, the BAE security expert, said the hackers could have broken into networks but not stolen data right away for any number of operational reasons. He compared it to a criminal breaking into a house but stopping in the hallway.

“It’s still pretty bad,” Nish said.

Mandiant said it found signs of data extraction from some of the targets.

At least one major local government has disputed that it was a target of the Pulse Secure hack. Montgomery County, Maryland, said it was advised by CISA that its Pulse Secure devices were attacked. But county spokesman Scott Peterson said the county found no evidence of a compromise and told CISA that it was a “false report.”

CISA did not directly respond to the county’s statement.

Advertisement