Suspected state-backed Chinese hackers exploited widely used networking devices to spy for months on dozens of high-value government, defence industry and financial sector targets in the US and Europe, according to prominent cybersecurity firm FireEye.
And Tokyo police are investigating cyber attacks on some 200 Japanese companies and research organisations, including the country’s space agency, by a hacking group believed to be linked to the Chinese military, Japan’s government said.
FireEye said on Tuesday it believed two hacking groups linked to China broke into several targets through Pulse Connect Secure devices, which numerous companies and governments use for secure remote access to their networks.
After FireEye released a blog post detailing its findings, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an alert saying it was aware of “ongoing exploitation” of Pulse Connect Secure that is “compromising US government agencies, critical infrastructure entities, and private sector organisations”.
The agency did not provide additional details about which organisations were breached.
Ivanti, the Utah-based owner of Pulse Connect Secure, said a limited number of customers “experienced evidence of exploit behaviour”. The company said the hackers used three known exploits and a previously unknown one.
Charles Carmakal, the chief technology officer at FireEye, said it was still trying to piece together details about the hack but available evidence suggested the hackers were aligned with the Chinese government.
Carmakal, whose company discovered in December the months-long SolarWinds hacking campaign attributed to Russian cyberspies, said the Pulse Connect Secure hack had several notable aspects: the hackers were highly skilled, were able to evade multifactor authentication and could stay hidden on a penetrated network even if software was reset or upgraded.
“Their tradecraft is really good,” he said.
Meanwhile, Japanese police have forwarded the case involving attacks on the Japan Aerospace Exploration Agency (JAXA) to prosecutors for further investigation, chief cabinet secretary Katsunobu Kato told reporters.
Police believe a series of hacks of the JAXA were conducted in 2016-2017 by Tick, a Chinese cyberattack group under the direction of a unit of the People’s Liberation Army (PLA), Mr Kato said.
A suspect in the JAXA case, a Chinese systems engineer based in Japan, allegedly gained access to a rental server by registering himself under a false identity to launch the cyber attacks, Mr Kato said, citing the police investigation.
NHK public television said another Chinese national with suspected links to the PLA unit who was in Japan as an exchange student was also investigated in the case.
Both men have since left the country, it said.
Police are investigating the attackers’ intent and methods, while also pursuing scores of other cyberattacks that they suspect are linked to China’s military, Mr Kato said.
“The involvement of China’s People’s Liberation Army is highly likely,” he said.
Mr Kato added that no actual data leak or damage has been found so far but police are urging the companies to strengthen their protection.
Japan’s Defence Ministry says cyberattacks are part of rising security threats from China as it becomes more assertive in the region – a shared concern discussed in April 16 talks at the White House between US President Joe Biden and Japanese Prime Minister Yoshihide Suga.
In Beijing, Chinese Foreign Ministry spokesperson Wang Wenbin said cyberattacks were a common challenge faced by all countries and warned Japan against wrongly accusing China.