Five U.S. Agencies May Have Been Hacked Through Ivanti Flaws
(Bloomberg) -- The U.S. Department of Homeland Security has determined that flaws in Ivanti Inc.’s products may have allowed hackers to breach at least five federal agencies.
The Department’s Cybersecurity and Infrastructure Security Agency, known as CISA, has been working with organizations targeted through vulnerabilities in Ivanti’s Pulse Connect Secure products and required federal civilian agencies to run a tool designed to find them.
“CISA is aware of at least five federal civilian agencies who have run the Pulse Connect Secure Integrity Tool and identified indications of potential unauthorized access,” Matt Hartman, a deputy executive assistant director at CISA, said Thursday in a statement. “We are working with each agency to validate whether an intrusion has occurred and will offer incident response support accordingly.”
Hartman didn’t identify the agencies. Reuters previously reported the suspected breaches in federal agencies.
Hartman’s statement comes a week after CISA released an Emergency Directive requiring agencies using Pulse Connect Secure virtual private networks and other products to take steps to find and mitigate possible breaches. It also comes after another major cyber-attack on the digital supply chain in which Russian hackers inserted malicious code in software updates for Texas-based SolarWinds Corp.
Nine U.S. agencies and at least 100 companies were breached by the Russian hackers in that attack, which was made public in December.
The U.S. hasn’t attributed the cyber-activity to a specific hacking group. However, the cybersecurity firm FireEye Inc. recently found that hackers -- suspected to be based in China -- were using Pulse Secure virtual private networks to hack into dozens of organizations for apparent espionage purposes, according to Charles Carmakal, a senior vice president and chief technology officer at FireEye, who spoke to Bloomberg News in an interview last week.
The Chinese Embassy in Washington didn’t immediately respond to a request for comment.
Ivanti said in a statement that it was working closely with CISA and cybersecurity experts “to investigate and respond quickly to malicious activity that was identified on a very limited number of customer systems.”
“The Pulse team took swift action to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system, and we plan to issue a software update within the next few days,” the company said.
Organizations targeted by the hackers through Pulse Secure flaws spanned financial services, government and defense contracting in the U.S. and Europe, Carmakal said. Since then, analysts at FireEye have observed additional victims including transportation, energy, professional services and telecommunications organizations.
“This is a pretty big deal from a national security perspective,” Carmakal said in the interview. He said there has been a significant spike in China-linked hacking in the U.S. this year, including widespread attacks that leveraged flaws in Microsoft Corp.’s Exchange software for email.
©2021 Bloomberg L.P.