Skip to main content
Sep 30, 2022 - Technology

Cybersecurity firm Mandiant uncovers sophisticated espionage campaign

Sam Sabin
Illustration of an infinite, recursive tunnel of laptops.

Illustration: Shoshana Gordon/Axios

Government officials are warning defense companies and other organizations handling sensitive information about a potential new espionage campaign uncovered by cybersecurity firm Mandiant on Thursday.

Driving the news: A sophisticated, unknown hacking group has created a new malware that allows it to install backdoors in and out of a system on VMware’s virtualization software, according to a two-part Mandiant report.

Details: Hackers targeted the so-called "hypervisors," which let one physical computer create and manage several virtual machines on VMware's virtualization software. Typically, endpoint security tools can't reach those hypervisors, making the malicious code difficult to detect.

  • Researchers discovered the backdoors earlier this year on fewer than 10 victims' networks in North America and Asia.
  • Once installed, hackers can watch and run commands on any computer managed by the VMware tool.
  • Mandiant researchers haven't fully identified the hackers behind the campaign, but they have low confidence that they're connected to China.

The intrigue: Targeting hypervisors brings a long-held fear in the cybersecurity community to life, as Wired reports, since it allows hackers to take control of several machines just by hijacking one physical computer.

  • Before this week's findings, "hyperjacking" attacks, or those targeting hypervisors, only existed hypothetically in research papers.

The big picture: More than 400,000 customers use VMware's tech and services, per one company estimate, "including 100% of Fortune 500 and 100% of Fortune Global 100 companies."

What's next: VMware released tips Thursday for customers to help detect and mitigate the risks associated with the new malware strains.

  • Rob Joyce, director of cybersecurity at the National Security Agency, tweeted that the new report is "one to watch for the defense industrial base and others with sensitive information targeted by nation states."
  • The Cybersecurity and Infrastructure Security Agency encouraged all organizations to apply the mitigations and guidelines.
Go deeper