Published Date: 2021-04-20
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident involving the Pulse Secure VPN vulnerabilities occurred at least since August of the previous year [Article 113355]. 2. The Pulse Secure VPN vulnerability exploitation incidents began as early as 2019 [Article 113406]. 3. The Pulse Secure VPN hack was discovered recently, with the emergency cybersecurity directive issued two weeks prior to the article's publication on April 29, 2021 [Article 113406]. |
| System | 1. Pulse Secure VPN - Vulnerabilities in Pulse Secure VPN were exploited by hackers with suspected ties to China, leading to breaches in government agencies, defense companies, and financial institutions in the US and Europe [113355, 113354, 113410, 113406]. |
| Responsible Organization | 1. Hackers with suspected ties to China [113355, 113354, 113410] 2. China-linked hackers [113410, 113406] |
| Impacted Organization | 1. Government agencies, defense companies, and financial institutions in the US and Europe [113355, 113354] 2. Federal civilian agencies in the US [113354, 113406] |
| Software Causes | 1. Exploitation of vulnerabilities in Pulse Secure VPN software by hackers with suspected ties to China [113355, 113354, 113410, 113406] 2. Use of a previously undisclosed vulnerability in American virtual private networking devices by China-linked hackers to spy on the U.S. defense industry [113410, 113406] 3. Multiple hacking groups, including one associated with China, exploiting flaws in Pulse Secure VPN software since 2019 [113406] |
| Non-software Causes | 1. The failure incident was caused by hackers exploiting vulnerabilities in the Pulse Secure VPN, a widely used remote connectivity tool, to gain unauthorized access to government agencies, defense companies, and financial institutions [113355, 113354, 113410]. 2. The hackers were suspected to have ties to China, indicating a geopolitical aspect to the incident [113355, 113354, 113410]. 3. The incident involved a supply chain cyberattack, where sophisticated groups targeted vulnerable software built by third parties to access sensitive government and corporate networks [113406]. 4. The incident involved traditional espionage with elements of economic theft, indicating a motive beyond just software exploitation [113406]. 5. The incident highlighted the increased risk associated with the growth in VPN usage during the COVID-19 pandemic, as more employees worked remotely [113406]. |
| Impacts | 1. The software failure incident involving vulnerabilities in Pulse Secure VPN allowed hackers with suspected ties to China to exploit the flaws and gain access to government agencies, defense companies, and financial institutions in the US and Europe [113355, 113354, 113410]. 2. At least five federal civilian agencies were breached as a result of the software failure incident, leading to potential unauthorized access and data exfiltration [113354, 113406]. 3. The incident led to emergency measures being taken by the US Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency, including issuing emergency directives for federal civilian agencies to scan for compromises, install updates, and report back [113355, 113354, 113406]. 4. The sophisticated hackers behind the software failure incident were able to steal account credentials and sensitive data belonging to victim organizations, posing a significant risk to the compromised entities [113355]. 5. The incident highlighted the vulnerability of widely used VPN products, especially in the context of increased remote work due to the COVID-19 pandemic, emphasizing the need for enhanced cybersecurity measures [113406]. |
| Preventions | 1. Regularly updating software: The software failure incident could have been prevented if the affected organizations had promptly applied software patches and updates to address known vulnerabilities in Pulse Secure VPN [113355, 113354, 113410, 113406]. 2. Implementing strong cybersecurity measures: Organizations could have prevented the hack by implementing robust cybersecurity measures, such as multi-factor authentication, network segmentation, and intrusion detection systems [113355, 113354, 113410, 113406]. 3. Conducting regular security audits: Regular security audits and assessments could have helped identify and mitigate potential vulnerabilities in the software before they were exploited by hackers [113355, 113354, 113410, 113406]. |
| Fixes | 1. Applying software patches and updates to address the vulnerabilities in Pulse Secure VPN [Article 113355, Article 113354, Article 113410]. 2. Running an "integrity tool" to check for issues and signs of compromise [Article 113355, Article 113354]. 3. Implementing emergency workarounds published by Ivanti, the owner of Pulse Secure [Article 113355]. 4. Conducting a thorough scan for potential unauthorized access and intrusion [Article 113354]. 5. Validating whether an intrusion has occurred and offering incident response support accordingly [Article 113354]. 6. Working with Ivanti to understand the vulnerability in Pulse Secure VPN devices and mitigate potential risks to federal civilian and private sector networks [Article 113410]. 7. Providing a patch to fix the problem by early May [Article 113406]. 8. Kicking out the intruders and uncovering other evidence through collaboration between CISA, FBI, and victims of the hack [Article 113406]. | References | 1. FireEye [Article 113355, Article 113410] 2. Cybersecurity and Infrastructure Security Agency (CISA) [Article 113355, Article 113354, Article 113406] 3. Ivanti [Article 113355, Article 113410] 4. Department of Homeland Security (DHS) [Article 113355, Article 113410] 5. Chinese Embassy [Article 113410] 6. National Security Agency [Article 113410] 7. FBI [Article 113406] 8. Justice Department [Article 113406] 9. U.S. Cybersecurity Infrastructure Security Agency [Article 113406] 10. Chinese hackers [Article 113406] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident having happened again at one_organization: - The software failure incident involving the exploitation of vulnerabilities in Pulse Secure VPN has happened again within the same organization, Ivanti, the owner of Pulse Secure. Hackers exploited a flaw in the Pulse Connect Secure suite to break into the systems of a limited number of customers [Article 113410]. - Ivanti mentioned that while mitigations were in place, a fix for the issue would be unavailable until early May [Article 113410]. (b) The software failure incident having happened again at multiple_organization: - The software failure incident involving the exploitation of vulnerabilities in Pulse Secure VPN has also occurred at multiple organizations. Hackers with suspected ties to China exploited vulnerabilities in Pulse Secure VPN to gain access to government agencies, defense companies, and financial institutions in the US and Europe [Article 113355]. - At least five federal civilian agencies were breached in the latest hack, indicating that the incident has affected multiple organizations [Article 113354]. - The Cybersecurity and Infrastructure Security Agency (CISA) has been working with multiple entities whose vulnerable Pulse Connect Secure products have been exploited by a cyber threat actor, suggesting a broader impact across various organizations [Article 113354]. - The results of the investigation showed evidence of potential breaches in at least five federal civilian agencies, indicating a widespread impact across multiple organizations [Article 113406]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident related to the design phase can be seen in the articles. The incident was due to vulnerabilities in the Pulse Secure VPN, a widely used remote connectivity tool, which were exploited by hackers with suspected ties to China [113355, 113354, 113410]. These vulnerabilities were present in the system design and development, allowing the hackers to gain unauthorized access to government agencies, defense companies, and financial institutions. (b) The software failure incident related to the operation phase is evident in the articles as well. The incident involved hackers exploiting the vulnerabilities in the Pulse Secure VPN through the operation and use of the system by various organizations [113355, 113354, 113410]. The operation of the system, including the misuse of the VPN tool, contributed to the successful intrusion by the hackers. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: - The software failure incident related to the Pulse Secure VPN vulnerabilities was primarily due to flaws and vulnerabilities within the Pulse Secure VPN software itself [113355, 113354, 113410, 113406]. - Hackers exploited known flaws and a newly discovered vulnerability in Pulse Secure VPN to gain unauthorized access to government agencies, defense companies, and financial institutions [113355, 113354]. - The vulnerabilities in the Pulse Connect Secure suite were used by hackers to break into systems of a limited number of customers [113410]. - The software company Ivanti mentioned that while mitigations were in place, a fix for the issue would be unavailable until early May [113410]. - The hackers were able to exploit the Pulse Secure VPN as customers used it, indicating a failure within the software itself [113406]. (b) outside_system: - The software failure incident was also influenced by external factors such as the actions of hackers with suspected ties to China who exploited the vulnerabilities in Pulse Secure VPN [113355, 113354, 113410, 113406]. - The hackers were sophisticated and used their access to steal account credentials and sensitive data belonging to victim organizations [113355]. - The hackers were suspected to operate on behalf of the Chinese government, indicating an external influence on the software failure incident [113410]. - The Chinese Embassy spokesperson denied the allegations of cyber attacks and attributed them to irresponsible and ill-intentioned claims [113410]. - The U.S. government is investigating the hack, and the scope, impact, and attribution remain unclear, suggesting external factors at play [113406]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The software failure incident involving the exploitation of vulnerabilities in Pulse Secure VPN was attributed to hackers with suspected ties to China, who repeatedly took advantage of flaws and a newly discovered vulnerability in the software [113355, 113354, 113410]. - The hackers exploited a previously undisclosed vulnerability in American virtual private networking devices to spy on the U.S. defense industry, as reported by researchers and the devices' manufacturer [113410]. - The hackers were able to break into Pulse Secure VPN as customers used it, indicating a non-human action leading to the breach [113406]. (b) The software failure incident occurring due to human actions: - The hackers who exploited Pulse Secure VPN were described as extremely sophisticated and having deep technical knowledge of the product, suggesting human involvement in the exploitation [113355]. - The software company Ivanti mentioned that while mitigations were in place for the vulnerability in Pulse Connect Secure suite, a fix for the issue would be unavailable until early May, indicating a delay in addressing the vulnerability [113410]. - The U.S. government's investigation into the Pulse Secure activity is still in its early stages, and the scope, impact, and attribution remain unclear, suggesting a need for further human actions to determine the full extent of the breach [113406]. |
| Dimension (Hardware/Software) | software | (a) The software failure incident occurring due to hardware: - There is no specific mention of the software failure incident occurring due to contributing factors originating in hardware in the provided articles. (b) The software failure incident occurring due to software: - The software failure incident reported in the articles is primarily due to vulnerabilities in the Pulse Secure VPN software being exploited by hackers with suspected ties to China [113355, 113354, 113410, 113406]. - Hackers repeatedly took advantage of known flaws and a newly discovered vulnerability in Pulse Secure VPN to gain access to government agencies, defense companies, and financial institutions in the US and Europe [113355, 113354, 113410, 113406]. - The vulnerabilities in the Pulse Secure software were exploited by multiple hacking groups, including an elite team associated with China, since 2019 [113410, 113406]. - The software company Ivanti, the owner of Pulse Secure, mentioned that a fix for the vulnerability would be unavailable until early May [113410]. - The software patches for the vulnerabilities in Pulse Secure already exist, and a more permanent software update to address the newly discovered flaw is expected to be issued in early May [113355]. - The software failure incident involving Pulse Secure VPN is part of a broader trend of cyber actors targeting vulnerabilities in widely used VPN products, especially with the increase in remote work due to the COVID-19 pandemic [113406]. |
| Objective (Malicious/Non-malicious) | malicious | (a) The software failure incident related to the Pulse Secure VPN vulnerabilities was malicious in nature. Hackers with suspected ties to China exploited the vulnerabilities in Pulse Secure VPN to gain unauthorized access to government agencies, defense companies, and financial institutions in the US and Europe [113355, 113354, 113410]. The attackers were highly skilled and used their access to steal account credentials and sensitive data belonging to victim organizations [113355]. FireEye reported that at least one of the hacking groups operates on behalf of the Chinese government, and the hackers were particularly focused on the US defense industry [113410]. The hackers were sophisticated, operating from US digital infrastructure, and using advanced tradecraft to camouflage their activity [113410]. (b) The software failure incident was non-malicious in the sense that the vulnerabilities in Pulse Secure VPN were not intentionally introduced to harm the system. The vulnerabilities were exploited by hackers for espionage purposes, including traditional espionage and potential economic theft [113406]. The maker of Pulse Secure, Ivanti, stated that the hackers took advantage of a flaw in their software, and while mitigations were in place, a fix for the issue would be unavailable until early May [113410]. The incident highlighted the risk associated with widely used VPN products as remote work became more prevalent during the COVID-19 pandemic [113406]. |
| Intent (Poor/Accidental Decisions) | poor_decisions | (a) The intent of the software failure incident related to poor decisions can be inferred from the articles. The incident involving the exploitation of vulnerabilities in Pulse Secure VPN software by hackers with suspected ties to China appears to be a result of poor decisions in software development and cybersecurity practices. The hackers exploited known flaws and a newly discovered vulnerability in the software to gain unauthorized access to government agencies, defense companies, and financial institutions in the US and Europe [113355, 113354, 113410, 113406]. The delayed release of software patches to address these vulnerabilities, as mentioned in the articles, also indicates a lack of proactive decision-making in addressing security issues promptly. |
| Capability (Incompetence/Accidental) | development_incompetence | (a) The software failure incident related to development incompetence: - The software failure incident involving the Pulse Secure VPN was exploited by hackers with suspected ties to China who repeatedly took advantage of vulnerabilities in the software to gain access to government agencies, defense companies, and financial institutions [113355, 113354]. - The hackers exploited a previously undisclosed vulnerability in the Pulse Connect Secure suite, indicating a flaw in the software that allowed unauthorized access to systems [113410]. - The cybersecurity company FireEye suspected that at least one of the hacking groups operates on behalf of the Chinese government, highlighting the sophistication of the attackers in exploiting the software vulnerabilities [113410]. (b) The software failure incident related to accidental factors: - The incident involving the Pulse Secure VPN was described as a supply chain cyberattack, where sophisticated groups targeted vulnerable software built by third parties to gain access to sensitive government and corporate networks [113406]. - The use of VPNs, including Pulse Secure, has increased during the COVID-19 pandemic, leading to a higher risk associated with these widely used products [113406]. - The incident was part of a pattern of cyber actors targeting vulnerabilities in widely used VPN products, indicating a trend rather than a one-time accidental occurrence [113406]. |
| Duration | permanent | (a) The software failure incident related to the Pulse Secure VPN vulnerabilities appears to be temporary. The vulnerabilities in Pulse Secure VPN were exploited by hackers with suspected ties to China for months, allowing them to gain unauthorized access to government agencies, defense companies, and financial institutions in the US and Europe [113355, 113354, 113410]. The incident was discovered and emergency measures were taken to mitigate potential damage, such as running integrity tools, installing updates, and scanning for compromises. The software company Ivanti mentioned that a fix for the vulnerability would be available in early May [113410]. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) has been working with affected entities to kick out the intruders and uncover evidence of the breach [113406]. (b) The software failure incident could also be considered permanent to some extent. The hackers exploited the vulnerabilities in Pulse Secure VPN for an extended period, with some intrusions starting as early as August of the previous year [113355]. The incident was not immediately detected, indicating a prolonged period of unauthorized access and potential data exfiltration. The long-term impact of the breach on the affected organizations, especially in terms of stolen data and compromised systems, could be considered as contributing factors to a more permanent failure scenario. |
| Behaviour | crash, omission, value | (a) crash: - Article 113355 mentions that hackers exploited vulnerabilities in Pulse Secure VPN to gain access to organizations in the defense industrial sector, indicating a system crash where the software lost its intended state and was compromised [113355]. - Article 113354 discusses how hackers took advantage of vulnerabilities in Pulse Secure VPN to gain access to federal civilian agencies, indicating a crash in the system's security leading to unauthorized access [113354]. - Article 113410 reports that hackers exploited a vulnerability in Pulse Connect Secure to spy on the U.S. defense industry, suggesting a crash in the system's security allowing unauthorized access [113410]. (b) omission: - Article 113354 mentions that federal civilian agencies identified indications of potential unauthorized access after running the Pulse Connect Secure Integrity Tool, indicating instances where the system omitted to perform its intended function of preventing unauthorized access [113354]. - Article 113406 discusses how hackers exploited vulnerabilities in Pulse Connect Secure, leading to potential breaches in federal civilian agencies, suggesting instances where the system omitted to perform its intended function of securing the network [113406]. (c) timing: - There is no specific mention of a timing-related failure in the articles. (d) value: - Article 113410 mentions that hackers exploited a vulnerability in Pulse Connect Secure to spy on the U.S. defense industry, indicating a failure where the system performed its intended functions incorrectly by allowing unauthorized access [113410]. (e) byzantine: - There is no specific mention of a byzantine-related failure in the articles. (f) other: - The behavior of the software failure incident in the articles can also be categorized as a security breach due to the exploitation of vulnerabilities in Pulse Secure VPN, leading to unauthorized access to sensitive data [113355, 113354, 113410, 113406]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property | (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident involving the exploitation of vulnerabilities in Pulse Secure VPN by hackers with suspected ties to China resulted in the theft of account credentials and other sensitive data belonging to victim organizations [113355]. - The hackers exploited a flaw in the Pulse Connect Secure suite to break into the systems of a limited number of customers, potentially leading to economic theft [113410]. - The incident involved data exfiltration across numerous environments, confirming the impact on data security [113406]. |
| Domain | information, finance, government | (a) The software failure incident related to the production and distribution of information. The incident involved hackers exploiting vulnerabilities in Pulse Secure VPN, a widely used remote connectivity tool, to gain access to government agencies, defense companies, and financial institutions in the US and Europe [113355, 113354, 113410]. (h) The incident also impacted the finance industry, as hackers targeted financial institutions in the US and Europe by exploiting the vulnerabilities in Pulse Secure VPN [113355, 113354, 113410]. (l) The failed system was intended to support the government sector, as the incident involved breaches in federal civilian agencies in the US due to vulnerabilities in Pulse Secure VPN [113355, 113354, 113410]. |
Article ID: 113355
Article ID: 113354
Article ID: 113410
Article ID: 113406