WASHINGTON—At least two groups of China-linked hackers have spent months using a previously undisclosed vulnerability in virtual private networking devices to spy on the U.S. defense industry, researchers and the devices’ manufacturer said.
Ivanti provided no details about who might be responsible for the espionage campaign but, in a report timed to Ivanti’s announcement, cybersecurity company FireEye Inc. said it suspects that at least one of the hacking groups operates on behalf of the Chinese government.
“The other one we suspect is aligned with China-based initiatives and collections,” said Charles Carmakal, a senior vice president of Mandiant, an arm of Fireye, ahead of the report’s release.
While tying hackers to a specific country is fraught with uncertainty, Carmakal said his analysts’ judgment was based on a review of the hackers’ tactics, tools, infrastructure, and targets—many of which echoed past China-linked intrusions.
Chinese Embassy spokesperson Liu Pengyu says China “firmly opposes and cracks down on all forms of cyberattacks,” while describing FireEye’s allegations as “irresponsible and ill-intentioned.”
FireEye declined to identify the hackers’ targets, identifying them only as “defense, government, and financial organizations around the world.” It said the group of hackers suspected of working on Beijing’s behalf were particularly focused on the U.S. defense industry.
In a statement, the cyber arm of the Department of Homeland Security said it was working with Ivanti “to better understand the vulnerability in Pulse Secure VPN devices and mitigate potential risks to federal civilian and private sector networks.”
The U.S. National Security Agency declined to comment. U.S. officials have repeatedly accused Chinese hackers of stealing American military secrets over the years through various means.
Lately, networking devices, which can be hard for companies to monitor, have emerged as a favored avenue for digital spies.
The timing of the latest series of hacks wasn’t made explicit, although FireEye’s report said it investigated them “early this year.”
Carmakal added that the hackers were operating from U.S. digital infrastructure and borrowing the naming conventions of their victims to camouflage their activity so they would look like any other employee logging in from home.
“We are seeing pretty advanced tradecraft,” he said.