Pulse Secure VPN hacking also hit transportation, telecom firms, FireEye says

The U.S. government has also been affected.
Chinese President Xi Jinping, pictured on September 30, 2020. (Photo by Noel Celis / AFP) (Photo by NOEL CELIS/AFP via Getty Images)

A sprawling Chinese espionage operation against U.S. and European government organizations extends to additional commercial sectors than previously known and involves four new hacking tools, security firm FireEye said Thursday.

All told, two China-linked groups — and other hackers that investigators did not name — are exploiting virtual private network software in breaches that have touched the transportation and telecommunication sectors, according to FireEye. The firm had previously only named the defense, financial and government sectors as affected by the breaches.

The attackers are exploiting popular VPN software known as Pulse Connect Secure to burrow into networks and steal sensitive data. Many of the breached organizations “operate in verticals and industries aligned with Beijing’s strategic objectives” that are outlined in the Chinese government’s latest “Five Year Plan” for economic growth, according to Mandiant, FireEye’s incident response arm.

The majority of the intrusions have been carried out by a group called UNC2630, which appears to operate on behalf of the Chinese government, said Sarah Jones, senior principal analyst at Mandiant Threat Intelligence. The alleged Chinese hackers are using four additional pieces of malware to steal data and cover their tracks.


“Chinese cyber-espionage activity has demonstrated a higher tolerance for risk and is less constrained by diplomatic pressures than previously characterized,” analysts from Mandiant wrote in a blog Thursday.

In separate activity that Microsoft revealed in March, alleged Chinese spies exploited flaws in the Exchange Server software to steal email inboxes from U.S. organizations. Some analysts argued that those hacks violated cyberspace norms because the malicious code left on victim computers could have been exploited by a range of financially motivated criminals.

A spokesperson for the Chinese Embassy in Washington, D.C., did not immediately respond to a request for comment on Thursday on Mandiant’s findings. Beijing routinely denies conducting cyberattacks.

Responding to the alleged Chinese hacks — along with an alleged Russian operation exploitation SolarWinds software — has often been a labor-intensive cleanup for U.S. officials. At least 24 federal agencies use Pulse Connect Secure, with some national-security-focused research labs openly advertising their use of the software. At least five civilian agencies may have been breached in the Pulse Connect Secure hacking, according to an official with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

CISA has issued emergency directives to federal agencies to apply the Pulse Connect Secure and Exchange Server software updates.


In some of the Pulse Connect breaches, the alleged Chinese spies covered up evidence of many of their compromises as Mandiant prepared to expose the operation last month, the security firm said.

Mandiant analysts argue that Chinese hackers have in recent years gotten more efficient and strategic in targeting data held by organizations that might help Beijing advance its political, military and economic goals.

“The greater ambition and risk tolerance demonstrated by Chinese policymakers since 2019 indicates that the tempo of Chinese state-sponsored activity may increase in the near future and that the Chinese cyber threat apparatus presents a renewed and serious threat to U.S. and European commercial entities,” the analysts warned.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts