At least two-dozen U.S. federal agencies run the Pulse Connect Secure enterprise software that two advanced hacking groups have recently exploited, according to the Department of Homeland Security’s cybersecurity agency.
Multiple agencies have been breached, but just how many is unclear.
“We’re aware of 24 agencies running Pulse Connect Secure devices, but it’s too early to determine conclusively how many have actually had the vulnerability exploited,” Scott McConnell, a spokesman for DHS’s Cybersecurity and Infrastructure Security Agency, told CyberScoop on Wednesday.
FireEye, the cybersecurity firm that announced the hacking campaign on Tuesday, said at least one of the two groups had links to China. The suspected Chinese hackers also targeted the trade-secret-rich defense contractors who do business with the Pentagon.
CyberScoop’s review of agency records found that multiple U.S. government-funded labs conducting national security-related research appear to run Pulse Connect Secure virtual private network software, which allows employees to log in to an organization remotely. That includes the Department of Energy’s Sandia National Laboratories, which recently boasted that the Pulse Connect Secure software helped its employees adapt to remote work during the coronavirus pandemic.
Los Alamos National Laboratory, another DOE-funded lab, has advertised a job for a cybersecurity staff member to support the organization’s “over ten thousand employees, students and contractors.” Working with Pulse Connect Secure is listed as a “desired qualification” for the job. A third DOE-backed outfit, the National Renewable Energy Laboratory (NREL), also advertises its use of a Pulse Connect Secure VPN.
Both Sandia and Los Alamos conduct specialized research into topics such as nuclear energy and high-performance computing. NREL research covers clean energy, advanced manufacturing and other topics.
“We are aware of this [issue] but there has been no impact to us,” NREL spokesperson David Glickson said in an email.
A spokesperson for Sandia did not respond to a request for comment by press time. A spokesperson for Los Alamos referred questions to the National Nuclear Security Administration (NNSA), which oversees the lab. NNSA did not immediately respond to a request for comment.
The exploitation of Pulse Connect Secure is the latest set of intrusions to roil the U.S. government and private sector, following alleged Russian and Chinese activity exploiting software made by SolarWinds and Microsoft, respectively. And like those other incidents, the recovery process could be gradual.
CISA on Tuesday evening issued an emergency order to federal civilian agencies to run a security test to find out if they’ve been breached in the Pulse Connect Secure hacking. CISA once rarely used that authority, but has increasingly done so in response to critical bugs found in software running on government networks.
A security fix for the previously unknown software vulnerability exploited by the hackers won’t be available until next month, according to Ivanti, the Utah-based firm that owns Pulse Connect Secure.
State-sponsored spies have long sought out vulnerabilities in VPN software to pry their way into target networks. Tom Kellermann, head of cybersecurity strategy at technology vendor VMware, said VPN exploits have been considered the “holy grail” for state-backed hackers because of the U.S. government’s “historic over-reliance on them for securing access” to its networks.
In this case, the Pulse Connect Secure exploits could serve as a key entry point into a data-rich network.
The hackers’ “primary goals are maintaining long-term access to networks, collecting credentials, and stealing proprietary data,” said Charles Carmakal, a senior vice president at Mandiant, FireEye’s incident response practice.