Chinese hackers strike US government servers targeting people with Chinese ties

China is at it again, starting off the first 100 days of the Biden Presidency with a number of cyberattacks aimed at shaking American businesses, local governments and even those agencies with their own interests in what happens inside the Chinese government.

The latest round of Chinese attacks on American data services was one of the most advanced hacks yet, especially in terms of the measures taken to evade detection. This time, the hackers weren’t necessarily targeting the Department of Defense or critical infrastructure, they were targeting individuals with information China would consider valuable.

A hacking group called Advanced Persistent Threat 5 (or APT5)  is the culprit in the latest round of attacks according to Charles Carmakal, chief technology officer of Mandiant, a division of FireEye. FireEye has routinely aided the U.S. government in its cybersecurity efforts and has detected or thwarted a number of high-profile attacks in the past decade. 

“This looks like classic China-based espionage,” Carmakal told the Washington Post. “There was theft of intellectual property, project data. We suspect there was data theft that occurred that we won’t ever know about.”

Though the defense department was a target of this round of hacking, a number of other U.S. government agencies were, along with some critical defense contractors. The attacks began in June of 2020 and may even be ongoing. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), acknowledged as much in an April 2021 alert.

This time, the flaws exploited by Chinese hackers were inside of Pulse Secure virtual private network servers (VPN) that allow remote working employees to access company servers while offsite. 

Hackers also got into hardware devices near the victims’ locations, and renamed their servers to mimic those of current employees. Hiding in plain sight with a common name and the accounts of persons they just hacked is what made the intrusion so difficult to detect. 

FireEye has a long history of exposing high-profile hacks from state actors. In 2015, the company discovered Chinese hackers exploiting vulnerabilities in Microsoft Word and Office applications as well as Adobe Flash Player. In 2016, it discovered a vulnerability in the Android mobile operating system that allowed hackers to access text messages and phone directories. 

The cybersecurity firm was also a target of hackers itself in 2020, when state-funded hackers stole the FireEye toolkit. FireEye had to then begin to fight its own software, releasting tools to make the use of its toolkit more difficult in cyberattacks. 

Most importantly, FireEye detected the 2020 SolarWinds attack and reported it to the National Security Agency (NSA). The SolarWinds attack allowed hackers to breach multiple government agencies, grant themselves privileged access to their networks. This attack was allegedly conducted by hackers working for the Russian Foreign Intelligence Service, or SVR.  

In response, President Biden implemented seeping sanctions on the Russian economy upon taking office. There is no word yet on retaliation against China from the Biden Administration, the White House has only commented that it was aware of the situation and was monitoring it closely. 

The most recent cybersecurity breach by APT5 is the third detected attack in 2021, all suspected to have links to China’s Communist Party. One of the previous two attacks hit 30,000 Americans in small business and local government, the other targeted tech giant Microsoft.