Suspected foreign hackers have breached nine organizations in the defense, energy, health care, technology, and education sectors — and at least one of those organizations is in the US, according to findings that security firm Palo Alto Networks shared exclusively with CNN.
With the help of the National Security Agency, cybersecurity researchers are exposing an ongoing effort by these unidentified hackers to steal key data from US defense contractors and other sensitive targets. It’s the type of cyber espionage that security agencies in both the Biden and Trump administrations have aggressively sought to expose before it does too much damage.
The goal in going public with the information is to warn other corporations that might be targeted and to burn the hackers’ tools in the process. Officials from the NSA and the US Cybersecurity and Infrastructure Security Agency (CISA) are tracking the threat.
A division of the NSA responsible for mitigating foreign cyber threats to the US defense industrial base contributed analysis to the Palo Alto Networks report. In this case, the hackers have stolen passwords from some targeted organizations with a goal of maintaining long-term access to those networks, Ryan Olson, a senior Palo Alto Networks executive, told CNN.
The intruders could then be well placed to intercept sensitive data sent over email or stored on computer systems until they are kicked out of the network.
Olson said that the nine confirmed victims are the “tip of the spear” of the apparent spying campaign, and that he expects more victims to emerge. It’s unclear who is responsible for the activity, but Palo Alto Networks said some of the attackers’ tactics and tools overlap with those used by a suspected Chinese hacking group.
The NSA and CISA declined to comment on the identity of the hackers.
With their trove of national security-related secrets, US defense contractors are a recurring target for foreign hackers.
Cybersecurity firm Mandiant earlier this year revealed that China-linked hackers had been exploiting a different software vulnerability to breach defense, financial and public sector organizations in the US and Europe.
Any company doing business with the Pentagon could have a range of data in their emails about defense contracts that could be of interest to foreign spies, said Olson, who is vice president of Palo Alto Networks’ Unit 42 division.
“In aggregate, access to that information can be really valuable,” Olson said. “Even if it’s not classified information, even if it’s just information about how the business is doing.”
In the activity revealed by Palo Alto Networks, the attackers are exploiting a vulnerability in software that corporations use to manage their network passwords. CISA and the FBI warned the public in September that hackers were exploiting the software flaw and urged organizations to update their systems. Days later, the hackers tracked by Palo Alto Networks scanned 370 computer servers running the software in the US alone, and then began to exploit the software.
Olson encouraged organizations that use the Zoho software to update their systems and search for signs of a breach.
Federal officials told CNN the revelation of the hacking activity is evidence of their close work with cybersecurity firms to stay on top of threats.
CISA used a nascent public-private defensive program to “understand, amplify, and drive action in response to the activity identified” in the Palo Alto Networks report, said CISA Executive Assistant Director for Cybersecurity Eric Goldstein.
The disclosure of the hacking campaign shows how the NSA is “delivering real-time impact to our partners and the defense of the nation,” Morgan Adamski, director of the agency’s Cybersecurity Collaboration Center, said in a statement to CNN.