US government scrambles to stop new hacking campaign blamed on China

Federal agencies are racing to contain a new wave of sophisticated hacking by suspected Chinese attackers that took advantage of previously undiscovered flaws in widely used security software from networking company Cisco.

The U.S. Cybersecurity and Infrastructure Security Agency issued a rare emergency directive on Thursday, ordering all civilian agencies to test Cisco firewall equipment before midnight Friday to see if it had been breached. Agencies must immediately disconnect devices that have been compromised, the directive said.

The CISA said that hundreds of potentially vulnerable devices were installed in federal networks and that some operated by private firms were used to protect critical infrastructure.

Because firewall equipment polices traffic entering a computer network, hackers who control it can monitor, change or misdirect communications or allow additional unauthorized access. Cisco previously said the group involved behaved as if it were backed by a national government.

Security experts warned that other spies and criminals now have enough information about the attack to use the same method, and would act quickly.

CISA officials did not say who is behind the attacks, but security experts, including researchers at computer security firm Palo Alto Networks, said the hackers were based in China.

The CISA did not dispute that conclusion. The Chinese embassy did not immediately respond to a request for comment.

Officials from the United States, Britain and other allies also urged private companies to check equipment running Cisco Adaptive Security Appliances software.

“We strongly urge them to adopt the measures” the CISA provided, said Chris Butera, acting deputy executive assistant director for cybersecurity at the agency. “The threat campaign is widespread.”

The techniques used in the recent attacks are especially alarming, Butera said in a briefing, because they allow hackers to hide their tracks and remain connected despite equipment reboots and upgrades. Cisco is no longer obligated to provide support to some of the older equipment affected after Sept. 30.

Butera said some U.S. agencies detected breaches using the attack as far back as May. CISA officials said they did not previously disclose the attacks because they did not know how the hackers had breached federal networks and then needed to have a fix ready.

Authorities sometimes don’t disclose breaches right away to avoid tipping off attackers. In this case, the CISA said it waited until a software patch was ready to provide more security to potential victims.

Cisco declined to address the delay or repeated issues with the firewall software.

Sam Rubin, a senior vice president at Palo Alto Networks, said the attackers’ group had gotten more sophisticated since it was detected using other methods against similar Cisco equipment early last year. He said it is now more focused than before on U.S. targets.

Thursday’s disclosure came amid a rash of new reports by Google and other companies about hacking from Chinese agencies and their contractors.