Suspected Chinese hackers used two previously undiscovered software flaws to break into a US-based research organization last month as part of a persistent spying campaign aimed at collecting intelligence in China’s interests, researchers said Wednesday.
The hackers used the flaws — which are coveted by spy agencies because they aren’t known to the software vendor — to “gain unfettered access” to the unnamed victim organization, US cybersecurity firm Volexity said in a blog post.
The victim organization does research on geopolitics, including China issues, and regularly draws attention from state-backed hackers, according to Volexity. “It’s aligned with espionage that we’ve seen from Chinese [hackers] in the past,” Volexity co-founder Sean Koessel told CNN.
For US officials and forensic experts, it’s the latest example of China’s voracious appetite for intelligence derived from hacking. US officials say China is the most prolific and pervasive digital adversary facing the United States. FBI Director Christopher Wray has said that China’s hacking teams outnumber the FBI’s cyber agents 50 to 1.
Beijing routinely rejects allegations of hacking while accusing the US of conducting its own cyberattacks. Liu Pengyu, spokesman for the Chinese Embassy in Washington, DC, said he was unaware of the details of incident.
“We firmly oppose and combat cyber attacks of any kind,” he said in a statement.
Volexity said it alerted the federal Cybersecurity and Infrastructure Security Agency to the activity. The agency did not immediately respond to a request for comment.
While the software exploits were used to precisely target the US victim organization, the concern now is that the exploit code could leak publicly, allowing lower-skill hackers to replicate it.
“It’s one of those things that would be massively weaponized by all walks of threat actors if those details were to leak, and it would lead to wide-scale exploitation,” Koessel said.
The hackers exploited popular virtual private networking (VPN) software made by Utah-based IT firm Ivanti. The firm said Wednesday it was developing a software update to fix the flaws while urging customers to take additional steps to protect themselves.
The news comes amid broader concerns about China’s surveillance capabilities.
A Chinese tech firm was able to crack the encryption of Apple’s AirDrop wireless sharing function to identify users on the Beijing subway accused of sharing “inappropriate information,” judicial authorities in Beijing said this week.
“For the Chinese government, the idea that people could be passing files between each other without passing through censorship systems is a political security concern,” Dakota Cary, a consultant at security firm SentinelOne who focuses on China, told CNN. “The government will always prioritize the ability to access, censor, and attribute communication between individuals. Even something like Airdrop concerns the CCP [Chinese Communist Party].”