Who is behind the recent Pulse Secure hacks?

There's no defense against zero-days, and why are we so ready to point the finger at the Chinese government, again?
23 April 2021

Pulse Secure VPN Datasheet. Source: Ivanti

The Pulse Secure range of VPN servers (virtual private network) is the latest target in a series of hacks that have affected many organizations across the world, many of them high up in defense and government in the US and Europe.

The Pulse VPNs are deployed as an appliance installed by companies that allow secure access to internal networks from outside the LAN, typically for remote workers, and to provide inter-site connectivity. They are also deployed as virtual machines and can handle (at their best spec) up to 25,000 connections per device.

Clients attaching themselves to the VPN servers typically use a thin client (which runs relatively quietly in the background on various devices, from smartphones upwards). The latest attacks uncovered by security specialists Mandian include at least one zero-day exploit, meaning that the methods used were unknown to Pulse Secure teams.

This event has some interesting aspects to it that are not directly connected with the breaches but serve to highlight several points of interest.

The first issue is one of the proprietary nature of the Pulse Secure code. Both Ivanti (the platform’s owners) and Solarwinds have suffered from high-profile attacks over the last few weeks, and on both occasions, many cybersecurity professionals question the decisions taken to deploy non-open-source protections.

This is well-trodden ground for many in the industry, and it bears repetition that neither proprietary blobs nor freely distributed code are more or less secure than the other. The key differences are that when open-source cyber protections get patched, every user benefits from better protection. However, patch availability does not necessarily mean they get applied in proprietary or open-source settings – the 2019 ransomware attack on Travelex (also via Pulse Secure devices) came about because of unpatched systems, and history repeats.

The second issue is one of the implied attributes of the perpetrators. In the blog post from Mandiant concerning the breaches, the researchers stated that there is “limited evidence to suggest that UNC2630 [the designation given to an attacking group] operates on behalf of the Chinese government. Analysis is still ongoing to determine the full scope of the activity that may be related to the group […] a trusted third party has uncovered evidence connecting this activity to historic campaigns which Mandiant tracks as Chinese espionage actor APT5.”

Although “limited evidence” may be enough to point the finger at state-sponsored hackers, it is interesting to note that it is rare to hear of state-sponsored hacking that works the other way: the US or European governments working to breach Chinese defense organizations’ cyber defenses. The radio silence surely cannot be because it doesn’t happen – could it be that we simply never hear about it?

The easy assumption, therefore, of readers of the security reports and the ensuing news stories is fairly facile: there are “goodies” and “baddies,” and in this case, it was the “baddies” who were up to no good. The “goodies” just don’t engage in hacking, we infer, and are meek and innocent-eyed victims in all of this.

Regardless of who the perpetrators may have been, applying security patches should always remain a priority for cybersecurity teams. But even had the affected organizations had the resources and staff to undertake this maintenance-level task in a timely manner, there is, by definition, no defense against zero-day attacks. Whether an open-source alternative based on Wireguard or OpenVPN would have suffered a similar fate is debatable.