A cyberespionage campaign blamed on China was more sweeping than previously known, with suspected state-backed hackers exploiting a device meant to boost Internet security to penetrate the computers of critical US entities.
The hack of Pulse Connect Secure networking devices came to light in April, but its scope is only now starting to become clear.
The hackers targeted telecommunications giant Verizon and the Metropolitan Water District of Southern California, the US’ largest water agency.
News broke earlier this month that the New York City subway system, the country’s largest, was also breached.
Security researchers said that dozens of other high-value entities that have not yet been named were also targeted as part of the breach of Pulse Secure, which is used by many companies and governments for secure remote access to their networks.
It is unclear what sensitive information, if any, was accessed.
Some of the targets said that they did not see any evidence of data being stolen.
That uncertainty is common in cyberespionage and it can take months to determine data loss, if it is ever discovered.
However, even if sensitive information was not compromised, experts say that it is worrisome that hackers managed to gain footholds in networks of critical organizations whose secrets could be of interest to China for commercial and national security reasons.
“The threat actors were able to get access to some really high-profile organizations, some really well-protected ones,” said Charles Carmakal, head technology officer of Mandiant, whose company first publicized the hacking campaign in April.
China has a long history of using the Internet to spy on the US and presents a “prolific and effective cyberespionage threat,” the US Office of the Director of the National Intelligence said in its most recent annual threat assessment.
The Chinese government has denied any role in the Pulse hacking campaign and the US government has not made any formal attribution.
In the Pulse campaign, security experts said sophisticated hackers exploited never-before-seen vulnerabilities to break in and were hyper diligent in trying to cover their tracks once inside.
“The capability is very strong and difficult to defend against, and the profile of victims is very significant,” BAE Systems Applied Intelligence head of cyber Adrian Nish said. “This is a very targeted attack against a few dozen networks that all have national significance in one way or another.”
The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an April alert about the Pulse hack saying that it was aware of “compromises affecting a number of US government agencies, critical infrastructure entities and other private sector organizations.”
The new details of the Pulse Secure hack come at a time of tension between the US and China.
US President Joe Biden has made checking China’s growth a top priority, and said the country’s ambition of becoming the wealthiest and most powerful country in the world is “not going to happen under my watch.”
DISASTER: The Bangladesh Meteorological Department recorded a magnitude 5.7 and tremors reached as far as Kolkata, India, more than 300km away from the epicenter A powerful earthquake struck Bangladesh yesterday outside the crowded capital, Dhaka, killing at least five people and injuring about a hundred, the government said. The magnitude 5.5 quake struck at 10:38am near Narsingdi, Bangladesh, about 33km from Dhaka, the US Geological Survey (USGS) said. The earthquake sparked fear and chaos with many in the Muslim-majority nation of 170 million people at home on their day off. AFP reporters in Dhaka said they saw people weeping in the streets while others appeared shocked. Bangladesh Interim Leader Muhammad Yunus expressed his “deep shock and sorrow over the news of casualties in various districts.” At least five people,
ON THE LAM: The Brazilian Supreme Court said that the former president tried to burn his ankle monitor off as part of an attempt to orchestrate his escape from Brazil Former Brazilian president Jair Bolsonaro — under house arrest while he appeals a conviction for a foiled coup attempt — was taken into custody on Saturday after the Brazilian Supreme Court deemed him a high flight risk. The court said the far-right firebrand — who was sentenced to 27 years in prison over a scheme to stop Brazilian President Luiz Inacio Lula da Silva from taking office after the 2022 elections — had attempted to disable his ankle monitor to flee. Supreme Court judge Alexandre de Moraes said Bolsonaro’s detention was a preventive measure as final appeals play out. In a video made
It is one of the world’s most famous unsolved codes whose answer could sell for a fortune — but two US friends say they have already found the secret hidden by Kryptos. The S-shaped copper sculpture has baffled cryptography enthusiasts since its 1990 installation on the grounds of the CIA headquarters in Virginia, with three of its four messages deciphered so far. Yet K4, the final passage, has kept codebreakers scratching their heads. Sculptor Jim Sanborn, 80, has been so overwhelmed by guesses that he started charging US$50 for each response. Sanborn in August announced he would auction the 97-character solution to K4
SHOW OF FORCE: The US has held nine multilateral drills near Guam in the past four months, which Australia said was important to deter coercion in the region Five Chinese research vessels, including ships used for space and missile tracking and underwater mapping, were active in the northwest Pacific last month, as the US stepped up military exercises, data compiled by a Guam-based group shows. Rapid militarization in the northern Pacific gets insufficient attention, the Pacific Center for Island Security said, adding that it makes island populations a potential target in any great-power conflict. “If you look at the number of US and bilateral and multilateral exercises, there is a lot of activity,” Leland Bettis, the director of the group that seeks to flag regional security risks, said in an
RSS