The top U.S. cyber watchdog agency issued an emergency directive Friday, mandating that all federal agencies protect themselves against a dangerous vulnerability in a popular software program. The watchdog said it is conducting investigations into whether China had used the program to spy on the agencies.

The program used by the agencies is called Ivanti Connect Secure, which allows employees to remotely connect to work. A devastating vulnerability in the program, first discovered in December by the cybersecurity company Volexity, can grant hackers significant access to the businesses or government agencies that use it and allows for the creation of additional back doors to return later.

As news of the vulnerability has become widespread, at least 1,700 known organizations around the world have been hacked with it, Volexity has found.

In a press call with reporters late Friday afternoon, Eric Goldstein, the executive assistant director at the U.S. Cybersecurity and Infrastructure Security Agency (CISA), said that hackers have learned about the vulnerability and increasingly have tried to hack companies and government agencies that use Connect Secure.

“We have observed additional targeting of federal agencies as part of the broader opportunity campaign at this point. Each of those instances are under investigation by CISA and the relevant agency,” Goldstein said.

Someone tried to use the Ivanti flaw to try to hack some federal agencies, Goldstein said, though it wasn’t yet clear if any had been successful. Around 15 agencies use the software, he said.

The hacking campaign echoes a strikingly similar one in 2021, when CISA announced that a vulnerability in an earlier version of the same program, at the time called Pulse Secure, had enabled hackers to gain access to multiple federal U.S. agencies. The cybersecurity company Mandiant, now owned by Google, said at the time that the hackers who had gained access to federal systems were members of a Chinese intelligence service conducting espionage.

A spokesperson for China’s embassy in Washington said in an email that “the Chinese government’s position on cyber security is consistent and clear. We have always firmly opposed and cracked down on all forms of cyber hacking in accordance with the law. The remarks by the U.S. side is completely distorting the truth.”

deflected that claim at the time, and often disputes the frequent accusations of cyberespionage made by U.S. and other Western officials and Western cybersecurity companies. The embassy did not immediately reply to a request for comment about CISA’s investigation.

Goldstein stopped short of blaming China for the most recent attempts, but said that what his agency had seen “would be consistent with what we have seen from PRC actors,” using an acronym for the country’s official name, the People’s Republic of China.

“At this time, we do not have any evidence to suggest that PRC actors have used these vulnerabilities to exploit federal agencies. But of course, we are focused on that very issue and driving urgent mitigation to ensure that both our federal networks and critical infrastructure are taking the right steps in response,” he said.