A foreign hacking group is reported to have breached nine global organisations in a sweeping espionage effort, according to a report by cybersecurity company Palo Alto Networks.
The cybercriminals purportedly tailored their attack to primarily target servers used by companies working with the US Department of Defense, as well as in the education, energy, healthcare and technology sectors.
In a campaign that ostensibly began on 17 September and continued through early October, the hackers are said to have targeted organisations running Zoho servers, manipulating a vulnerability in software used to manage network passwords – Zoho Manage Engine – compromising at least one, claimed the report.
"Through global telemetry, we believe that the actor targeted at least 370 Zoho [software]... in the United States alone," Palo Alto Networks was cited as saying in a blog post on 7 November.
Palo Alto Networks experts suggested that methods and tools used in the attack were consistent with those of the Chinese hacking group Emissary Panda, ostensibly connected with China's government. Stopping short of naming any of the targeted organisations, Palo Alto Networks underscored it was sharing the information with the dual goal of raising awareness about the cyber threat and urging a swift patch against the vulnerabilities exploited.
“Ultimately, the actor was interested in stealing credentials, maintaining access, and gathering sensitive files from victim networks for exfiltration,” Palo Alto Networks stated in the report.
CNN, which first reported the story, noted that the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) were actively tracking the threat. The report noted that threat information had been shared with other members of the Cyber Threat Alliance (CTA).
According to Ryan Olson, a senior Palo Alto Networks executive, the nine confirmed victims are the "tip of the spear" of a massive spying campaign.
Earlier this year, cybersecurity firm Mandiant claimed that China-linked hackers had been exploiting another software vulnerability to breach defence, financial, and public sector organizations in the US and Europe.
The incident response division of the California-based cybersecurity firm, FireEye, had published a report on 20 April claiming two hacking groups had exploited virtual private networking software created by Pulse Secure between August 2020 until March 2021 to infiltrate defence, financial and public sector organisations in the US and Europe.
One of the alleged hacking groups was identified by the firm as using techniques "similar" to a Chinese state-backed espionage group. In recent years, Washington has repeatedly accused Beijing of engaging in a concerted effort to infiltrate public and private institutions abroad, prompting Beijing to readdress the spying accusations to Washington.
The Chinese foreign ministry dismissed “groundless speculations” in July, accusing the US of “ganging up with its allies” and engaging in “smear and suppression out of political motives.”