State-linked hackers hit American, European organizations with Pulse Secure exploits

Such VPN software has proven a popular foothold for spies over the years.
(Getty Images)

Two hacking groups, including one with ties to China, have in recent months exploited popular enterprise software to break into defense, financial and public sector organizations in the U.S. and Europe, security firm FireEye warned Tuesday.  

Attackers are exploiting old vulnerabilities — and one new one — in virtual private networking software made by Pulse Secure. Corporations and  governments alike use the technology to manage data on their networks, though it has proven a popular foothold for spies over the years.

Later on Tuesday, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency confirmed that “U.S. government agencies” and “critical infrastructure entities” had been breached in the activity.

“The threat actor is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence,” CISA said.


One of the hacking groups in question uses techniques similar to a Chinese state-backed espionage group, according to FireEye incident response unit Mandiant. “We have also uncovered limited evidence to suggest that [the hacking group] operates on behalf of the Chinese government,” Mandiant said in a blog post. The company did not say, specifically, what evidence it uncovered tying the incident to China.

More broadly, Mandiant Senior Vice President and CTO Charles Carmakal said, “We suspect these intrusions align with data and intelligence collection objectives by China.”

There are at least 12 different families of malicious software linked to the exploitation of Pulse Secure VPN software, Mandiant analysts said. Various hacking groups have likely written their own code to gain persistent access to networks running the software, according to Mandiant. The analysts said the hacking groups may not be related to each other.   

While Ivanti, the firm that owns Pulse Secure, has recommended mitigating measures for the new vulnerability, a final fix for it won’t be available until next month. “A very limited number” of Ivanti customers are affected by the new flaw, Ivanti Chief Security Officer Phil Richards said. Richards encouraged customers to use a security tool to check for any impact from the vulnerability.

Pulse Secure VPN was among the vulnerable software that hackers associated with the China’s Ministry of State Security used to infiltrate U.S. government and private networks last year. Operatives with Russia’s SVR foreign intelligence service have also exploited the software in their spying, U.S. officials said last week.


The exploitation of Pulse Secure comes after U.S. cybersecurity specialists have responded to alleged Russian and Chinese hacking operations exploiting software made by SolarWinds and Microsoft, respectively.

UPDATE, 11:51 a.m. EDT: This story has been updated with a comment from Ivanti.

UPDATE, 03:42 p.m. EDT: This story has been updated with information from a Department of Homeland Security advisory.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts