UPDATED: Adds information on CISA’s update today to the activity alert originally issued on April 20.
WASHINGTON: CISA confirmed today it’s investigating at least five federal agencies to determine whether they were breached via recently disclosed vulnerabilities in Pulse Connect Secure appliances.
Matt Hartman, deputy executive assistant director at CISA, said in a statement provided to Breaking Defense, “CISA is aware of at least five federal civilian agencies who have run the Pulse Connect Secure Integrity Tool and identified indications of potential unauthorized access. We are working with each agency to validate whether an intrusion has occurred and will offer incident response support accordingly.”
Hartman did not say which agencies are subject to the ongoing investigation.
Since March 31, CISA has been assisting “multiple entities” whose vulnerable Pulse Connect Secure products have been exploited. A source at CISA previously told Breaking Defense the US government has not yet made a determination on attribution.
On April 20, CISA issued an emergency directive and activity alert on four vulnerabilities — three previously known since last year and one newly discovered this month — in Pulse Connect Secure. CISA today updated the activity alert to include new information on Transport Layer Security (TLS) fingerprinting, a technique that could be used to identify malicious activity.
The emergency directive required all federal civilian agencies to identify Pulse Connect Secure appliances in use and to run a free online tool to assess whether the product had been compromised. The results were due to CISA last Friday. Based on those findings, CISA discovered further evidence of potential breaches.
A CISA source previously told Breaking Defense that 24 federal agencies use the popular product that enables workers to remotely access federal networks via a virtual private network (VPN). VPNs encrypt data as it’s transmitted across public networks.
Without knowing which agencies are affected, the attacker, or more details about the tactics, techniques, and procedures used in these possible hacks, it’s difficult to judge their potential severity. What’s clear is that federal agencies continue to be targets of sustained cyber operations, often by foreign governments.
The news of these latest potential breaches comes on the heels of the SolarWinds and Microsoft Exchange server cyberespionage campaigns. The US government formally attributed the former — which affected at least nine federal agencies — to Russia on April 15, and the latter is widely believed to be the work primarily of Chinese threat actors, although the US government has not yet formally attributed the campaign.
Everything comes down to Ukraine: 5 stories from Europe in 2024
Of all that happened during the Ukraine conflict in the last 12 months, the deployment of North Korean troops to the Russian border territory of Kursk stands out from the pack.