Chinese Hackers Erased Traces Days Before Discovery

Last month, cybersecurity experts at FireEye reported that two separate hacker groups were exploiting a zero-day vulnerability in Pulse Secure VPN to attack the networks of American defense contractors and government organizations worldwide.

According to FireEye, the breaches began as early as August 2020, when the first hacker group, tracked as UNC2630, targeted U.S. defense contractors and European organizations. Analysts believe these hackers “act on behalf of the Chinese government and may be linked to APT5,” another well-known Chinese cyber-espionage group.

In October 2020, a second hacker group, identified by FireEye as UNC2717, joined the attacks, though little was known about them at the time.

In both cases, the attackers installed web shells on vulnerable devices and then used them to move into the victims’ internal networks, stealing credentials, emails, and confidential documents.

Malware Deleted Before Public Disclosure

Now, in a new report, FireEye writes that further investigation into these attacks revealed something unusual: at least one of the groups involved began deleting their malware from compromised networks three days before the breaches were publicly disclosed.

“Between April 17 and 20, 2021, Mandiant experts observed UNC2630 accessing dozens of compromised devices and removing web shells such as ATRIUM and SLIGHTPULSE,” the analysts wrote.

The hackers’ actions appear suspicious and raise questions, such as whether they were aware of FireEye’s interest in their activities. While the malware removal could be a coincidence, if UNC2630 knew FireEye was investigating some of their breached networks, it suggests the hackers deliberately retreated and erased evidence to protect other ongoing operations from researchers.

New Details and Victim Profiles

FireEye also reports discovering new details about this hacking campaign. Experts found four additional malware strains, in addition to the twelve previously described.

Furthermore, FireEye continues to work with Pulse Secure developers to identify compromised devices and their owners. This collaboration has helped analysts learn more about the hackers’ targets. According to new data, most victims are organizations based in the United States, with others located in European countries. While it was previously believed the attacks targeted only defense contractors and government organizations, it is now clear that companies in telecommunications, finance, and transportation were also attacked.

Initially, FireEye analysts wrote that only UNC2630 might be linked to the Chinese government. Now, they are confident that both groups are engaged in cyber-espionage and “support key priorities of the Chinese government.”