Hackers breached organizations in defense, energy, other sectors, cybersecurity firm says
Suspected foreign hackers breached nine global organizations across the defense, education, energy, health care and technology sectors, including servers used by companies working with the U.S. Department of Defense, according to findings shared by a cybersecurity company.
A report posted Sunday from Palo Alto Networks, a company offering network security solutions, said hackers targeted at least 370 organizations running Zoho ManageEngine servers in the U.S. alone.
"As early as Sept. 17 the actor leveraged leased infrastructure in the United States to scan hundreds of vulnerable organizations across the internet," Palo Alto Networks said in the report. "Subsequently, exploitation attempts began on Sept. 22 and likely continued into early October. During that window, the actor successfully compromised at least nine global entities across the technology, defense, healthcare, energy and education industries."
It did not name any of the targeted organizations.
The U.S. Cybersecurity and Infrastructure Security Agency, along with the U.S. Coast Guard and FBI, had put out an alert a day before the start of the threat activity. The alert warned about a "newly identified vulnerability" related to a self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus.
Palo Alto Networks noted that while attribution "is still ongoing," specific tactics and tools used in the apparent hacking efforts correlated with those used by Chinese cyber-espionage group Threat Group 3390, also known as Emissary Panda, TG-3390, APT 27 and Bronze Union.
"Ultimately, the actor was interested in stealing credentials, maintaining access and gathering sensitive files from victim networks for exfiltration," Palo Alto Networks said in the report.
FILE - Binary code displayed on a laptop screen is reflected in the sunglasses in this illustration photo taken on Aug. 17, 2021. (Photo by Jakub Porzycki/NurPhoto via Getty Images)
Ryan Olson, a senior Palo Alto Networks executive, told CNN that hackers stole passwords from some targeted organizations with a goal of maintaining long-term access to those networks. As a result, they could potentially intercept sensitive data sent over email or stored on computer systems until they are ultimately kicked out of the network.
Olson called the nine confirmed victims the "tip of the spear" of the apparent spying campaign and said he expects more victims to emerge.
Palo Alto Networks said the findings were shared with other members of Cyber Threat Alliance, a nonprofit that aims to improve cybersecurity around the world by sharing threat information among companies and organizations in the field.
The U.S. Justice Department has stepped up actions to combat ransomware and cybercrime through arrests and other actions in recent weeks. The issue is regarded by the White House as an urgent economic and national security threat.
Deputy Attorney General Lisa Monaco told the Associated Press last week that "in the days and weeks to come, you’re going to see more arrests," more seizures of ransom payments to hackers and additional law enforcement operations.
Arrests of foreign hackers are significant for the Justice Department since many of them operate in the refuge of countries that do not extradite their own citizens to the U.S. for prosecution.
The Justice Department in June seized $2.3 million in cryptocurrency from a payment made by Colonial Pipeline following a ransomware attack that caused the company to temporarily halt operations, creating fuel shortages in parts of the country.
RELATED: Colonial Pipeline attack: White House launches ‘all of government’ response
Meanwhile, European law enforcement authorities announced Monday that seven suspected hackers linked to ransomware attacks that have targeted thousands of victims have been arrested since last February as part of a global cybercrime crackdown.
The arrests were part of a law enforcement investigation called GoldDust that involved the U.S. and 16 other countries. REvil, also known as Sodinokibi, has been linked in recent months to ransomware targeting the world's largest meat processor, JBS SA, as well as a Fourth of July weekend attack that snarled businesses around the world through a breach of a Florida-based software company called Kaseya.
This story was reported from Cincinnati. The Associated Press contributed.