Two separate groups of adversaries aligned with the interests of the Chinese government are conducting cyberespionage campaigns against U.S. government agencies, tech companies, financial services firms, and other targets, using exploits for known vulnerabilities in Pulse Secure VPNs.
The campaigns have been ongoing for several months, and researchers at FireEye Mandiant disclosed some of the details of one of the groups’ intrusions in late April. The adversaries are targeting Pulse Secure VPN appliances for exploitation and then inserting webshells on compromised devices in order to maintain persistent access. In the days leading up to Mandiant’s initial disclosure last month, one of the groups, known as UNC2630, went into many of the previously compromised appliances and removed the webshells, an odd move, given the timing and the fact that Chinese cyberespionage operators usually aren’t much concerned with being outed.
“It is unusual for Chinese espionage actors to remove a large number of backdoors across several victim environments on or around the time of public disclosure. This action displays an interesting concern for operational security and a sensitivity to publicity,” Mandiant researchers said in a new analysis on Thursday.
Despite the public exposure, both UNC2630 and UNC2717 have continued to target Pulse Secure VPN appliances and Mandiant investigators have identified 16 separate malware families used in these operations. The attackers are using a handful of previously disclosed vulnerabilities in Pulse Secure VPN devices for initial access, including CVE-2021-22893. After the initial compromise, the attackers often change timestamps and other forensic artifacts in order to hamper incident response investigations.
“Both UNC2630 and UNC2717 display advanced tradecraft and go to impressive lengths to avoid detection. The actors modify file timestamps and regularly edit or delete forensic evidence such as logs, web server core dumps, and files staged for exfiltration. They also demonstrate a deep understanding of network appliances and advanced knowledge of a targeted network. This tradecraft can make it difficult for network defenders to establish a complete list of tools used, credentials stolen, the initial intrusion vector, or the intrusion start date,” Mandiant researchers said.
“In some cases, Mandiant observed the actors create their own Local Administrator account outside of established credential management controls on Windows servers of strategic value. This allowed the actor to maintain access to systems with short-cycle credential rotation policies and provided a sufficient level of access to operate freely within their target environment.”
Once inside a target network, the adversaries use a variety of techniques and tools to steal credentials, perform reconnaissance and move laterally. Mandiant’s researchers collaborated with analysts at BAE Systems Applied Intelligence to identify several dozen organizations in Europe and the U.S. that have been compromised through weaknesses in Pulse Secure VPN appliances by these adversaries.
“Notably, compromised organizations operate in verticals and industries aligned with Beijing’s strategic objectives as outlined in China’s 14th Five Year Plan. Many manufacturers also compete with Chinese businesses in the high tech, green energy, and telecommunications sectors. Despite this, we have not directly observed the staging or exfiltration of any data by Chinese espionage actors that could be considered a violation of the Obama-Xi agreement,” Mandiant said.
“The greater ambition and risk tolerance demonstrated by Chinese policymakers since 2019 indicates that the tempo of Chinese state-sponsored activity may increase in the near future and that the Chinese cyber threat apparatus presents a renewed and serious threat to US and European commercial entities.