The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: The Biden administration faces a new wave of hacks compromising dozens of government agencies and companies

Placeholder while article actions load

with Tonya Riley

By Aaron Schaffer and Ellen Nakashima

A sophisticated China-linked hacking group infiltrated dozens of U.S. government agencies, defense contractors, financial institutions and other critical sectors, according to a private firm working with the federal government. The intrusions are ongoing, FireEye said, and exploit weaknesses in popular Pulse Secure virtual private networks.

At least a dozen U.S. government agencies have or recently had contracts for the software, according to a Washington Post review. The Department of Homeland Security has ordered government agencies to report back by Friday on their use of the software and whether they were breached.

The hack is just the latest in a string of high-profile software breaches hitting victims in the United States.

 Hackers in the latest attack breached sensitive defense-related organizations, according to FireEye. 

Another China-linked hacking group earlier this year targeted Microsoft clients, including defense contractors. Russian hackers who infiltrated SolarWinds software last year breached nearly a dozen federal agencies and 100 corporations.

The attack comes as the Biden administration prepares an executive order expected to include more than a dozen actions to improve information-sharing between the private sector and government, and shore up cybersecurity requirements for federal contractors.

The particular group at work here was “very advanced,” taking steps to evade detection, said Charles Carmakal, chief technology officer of Mandiant, a division of FireEye.

The White House and FBI declined to comment, and the U.S. government has not attributed the campaign to a country. 

But the campaign “looks like classic China-based espionage,” Carmakal said. “There was theft of intellectual property, project data. We suspect there was data theft that occurred that we won’t ever know about.”

The hackers were able to disguise their activity, the DHS’s cybersecurity agency, CISA, said, by using hacked devices such as Internet routers that corresponded with their victims’ locations. Most were in the United States, but some were in Europe, Carmakal said.

When they targeted American victims, they used U.S. servers, and when targeting European organizations, they used Europe-based servers to draw less attention to themselves, he said. 

It’s the latest attack to exploit a “blind spot” by U.S. intelligence agencies that aren’t allowed to spy on U.S. networks.

Gen. Paul Nakasone, the director of the National Security Agency, told exasperated senators last week the agency doesn’t want additional powers to detect attacks coming from U.S. networks.

“It’s not the fact that we can’t connect the dots,” Nakasone told lawmakers last month. “We can’t see all of the dots.”

FireEye found evidence of intrusions dating back to last summer but suspects they took place “well before that,” Carmakal said. “We’re just limited to the forensic data available to us.”

CISA acknowledged in an alert Tuesday that the agency was aware of “ongoing exploitation” of software flaws in servers at “U.S. government agencies, critical infrastructure entities, and private sector organizations.”

Pulse Secure, which is now owned by Ivanti Inc., issued a statement Tuesday saying a “limited number” of customers were affected. “The team worked quickly to provide mitigations directly” to the affected customers, it said.

The keys

FireEye also found that hackers are exploiting a dangerous vulnerability in email security software from California firm SonicWall.

The network services firm is now urging customers to upgrade their systems.

Right now the number of victims is small but it could grow.

“We’ve only seen it exploited at one victim organization, but Internet scanning has shown at least 700 internet-reachable devices that are vulnerable if unpatched,” Josh Fleischer, principal security analyst at FireEye sad in a statement.

SonicWall declined to comment on the nature of the customers affected by the vulnerability. However, a description on the company's website touts it as “working to ensure the protection of U.S. federal government agencies and numerous departments’ IT systems.” 

FireEye did not attribute the attack to any known hacking group or nation state actors.

Legislation to introduce a top cyber diplomat passed the House.

The legislation will also create a cyberspace policy bureau within the State Department.

“As the United States confronts increasingly bold challenges from adversaries in cyberspace, designing and implementing a whole-of-government response strategy ­  in close coordination with the international community is an urgent matter of national security, Jim Langevin (D-R.I.), chairman of the House Armed Services Committee’s subcommittee on cyber, innovative technologies and information systems said in a statement. 

The bill follows recent sanctions by the United States on Russia for the SolarWinds cyberattack and other malign activity. Although other nations expressed support for the action, the United States was alone in pursuing sanctions. Lawmakers say that increased cyber diplomacy will create a more unified front on these matters.

The firm response to Russian destabilization efforts is welcome, but unfortunately, coordination with our closest allies was lacking, Langevin said.

The Biden administration has stressed a desire to work with global allies to set global norms around cybersecurity.

The bill is expected to also pass the Senate.

Facebook doesn't want you to think that the scraping of your personal data is a big deal, according to internal documents.

An internal PR document accidentally shared by the company with a Belgium-based news outlet outlines the social media company's strategy for dealing with a recent leak of 500 million phone numbers.

The company expects more incidents of scraping data in the future, according to the document.

While this may reflect a significant volume of scraping activity, we hope this will help to normalize the fact this activity is ongoing and avoid criticism that we aren't being transparent about particular incidents, the email said.

Facebook confirmed the veracity of the email to Motherboard.

“It shouldn’t surprise anyone that our internal documents reflect what we’ve said publicly,” Facebook told Motherboard in a statement. We understand people's concerns, which is why we continue to strengthen our systems to make scraping from Facebook without our permission more difficult and go after the people behind it.

Researchers also identified a separate vulnerability yesterday that can be used by a third party to see email addresses linked to a Facebook account even if the email is not public, Joseph Cox at Motherboard reports.

It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings, a Facebook representative told Motherboard.

Hill happenings

Reps. Anna G. Eshoo (D-Calif.) and Adam Kinzinger (R-Ill.) reintroduced legislation that would require the National Telecommunications and Information Administration to submit to Congress a comprehensive report examining the cybersecurity of existing wireless networks and vulnerabilities to cyberattacks and surveillance by adversaries. 

The legislation comes ahead of a House Energy and Commerce Committee hearing today on securing America's wireless networks.


  • CISA executive assistant director for cybersecurity Eric Goldstein speaks at the Industrial Control Systems Joint Working Group’s spring virtual meeting today at 8:30 a.m.
  • Senate Majority Leader Charles E. Schumer (D-N.Y.); Rep. Michael McCaul (R-Texas); acting National Counterintelligence and Security Center director Mike Orlando; and Carl McCants, the technical director of NCSC’s supply chain and cyber directorate, speak at an Intelligence and National Security Alliance event on microelectronics supply chains today at noon.
  • A House Energy and Commerce Committee panel holds a hearing on securing U.S. wireless network technology on Wednesday at 11:30 a.m.
  • The Senate Armed Services Committee holds two hearings on the military’s cyber workforce and technology on Wednesday at 2:30 p.m.
  • Former undersecretary of state Keith Krach and retired four-star Gen. Stanley McChrystal discuss how the United States and its allies can create a global cyber-trust network at a Washington Post Live event on Thursday at 11 a.m.
  • Former acting Defense Intelligence Agency director David Shedd and former Undersecretary of Defense for Intelligence Steve Cambone speak at a Heritage Foundation event on the intelligence community on Friday at noon.

Secure log off