Governments and financial organizations around the world have been targeted by an espionage campaign allegedly linked to Chinese state-sponsored actors.
Earlier this week, American cybersecurity firm Ivanti acknowledged a flaw in its Pulse Connect Secure VPN devices that had allowed bad actors to move into the systems of “a very limited number of customers”.
At the moment, there are no patches for the Pulse Connect Secure suite flaw, but mitigations have been put in place. The company expects a patch to be released next month.
The flaw has been active for “months”, it was said, and a separate report from experts at FireEye suggests two distinct groups have been using it to eavesdrop on western businesses and government entities.
FireEye also said at least one of the groups “operates on behalf of the Chinese government”, but did not reveal the identity of the attackers, nor victims.
“The other one we suspect is aligned with China-based initiatives and collections,” said Charles Carmakal, SVP at Mandiant, FireEye’s cybersecurity arm.
Similar attack pattern
China has denied all allegations, with the country’s US embassy claiming it “firmly opposes and cracks down on all forms of cyber attacks”. Officials described FireEye’s insinuations as “irresponsible and ill-intentioned.”
FireEye, on the other hand, has based its conclusions on the tactics, tools, infrastructure and targets, all of which were strikingly similar to previous attacks linked to China.
The Department of Homeland Security was brief in its statement, saying it is working with Ivanti “to better understand the vulnerability in Pulse Secure VPN devices and mitigate potential risks to federal civilian and private sector networks”.
Further details are scarce, but Carmakal did add that the attackers were working from American infrastructure, borrowing the naming conventions of their victims to help them hide in plain sight.