NSA warns defense contractors of recent Chinese government-backed hacking

Written by

U.S. defense contractors should be wary of Chinese government-backed hackers who are actively exploiting a multitude of known vulnerabilities to target — and successfully breach — victim networks, the National Security Agency said in an advisory Tuesday.

The hackers are specifically going after 25 known vulnerabilities that primarily affect products used for remote access or for external web services, which the NSA lays out in detail in the advisory. Vulnerabilities the Chinese hackers are exploiting include those of Pulse Secure VPNs, which could allow attackers to steal victim passwords, as well as F5 Networks’ Big-IP Traffic Management User Interface, Windows Domain Name System servers, a series of flaws in Citrix ADC and Gateway devices, and several others.

System administrators in the defense industrial base should immediately patch the vulnerabilities the Chinese hackers are exploiting, the NSA warned.

“NSA is aware that National Security Systems, Defense Industrial Base, and Department of Defense networks are consistently scanned, targeted, and exploited by Chinese state-sponsored cyber actors,” the NSA said in its release. “NSA recommends that critical system owners consider these actions a priority, in order to mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, and competitive advantage.”

All of the vulnerabilities the NSA highlights in its release have been previously identified — but the NSA hopes that by explicitly linking them with Chinese hacking operations, defense contractors pay more attention to patching them for fear of becoming collateral damage in espionage campaigns.

“We hear loud and clear that it can be hard to prioritize patching and mitigation efforts,” Anne Neuberger, the director of the NSA Cybersecurity Directorate, said in a statement. “We hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems.”

While system administrators in the defense sector should pay attention to the NSA warning, cybersecurity practitioners in other sectors should pay attention as well, according to the NSA. Chinese state-sponsored actors have used some of the vulnerabilities the NSA listed to target entities in the telecommunications, healthcare, financial, transportation, petrochemical, and manufacturing sectors as well, according to FireEye research published in March.

Other agencies have also worked to raise awareness about Chinese state-sponsored hackers taking advantage of known flaws in recent months. The FBI and the Department of Homeland Security’s cybersecurity agency, the Cybersecurity and Infrastructure Security Agency, warned last month that hackers with ties to China’s civilian intelligence and counterintelligence service, the Ministry of State Security (MSS) have been using flaws in F5 Networks’ Big-IP Traffic Management User Interface, Citrix VPN Appliances, and Pulse Secure VPN appliances.

The NSA did not name the MSS in its advisory.

Russian hackers have also capitalized on some of the vulnerabilities named in the NSA advisory. APT29, a hacking group that has been tied to Russia’s Foreign Intelligence Service (SVR) or the country’s Federal Security Service (FSB), has used the Pulse Secure VPN vulnerability to target coronavirus research in recent months., according to the NSA. Iran-linked hackers have likewise used some of the vulnerabilities named in the NSA release, according to ClearSky researchers.