NSA Reports Ivanti Cyberattacks Detected Targeting US Defense Industry

The U.S. National Security Agency has confirmed that hackers exploiting flaws in Ivanti’s widely used enterprise VPN appliance have targeted organizations across the U.S. defense sector. Confirmation that the NSA is tracking these cyberattacks comes days after Mandiant reported that suspected Chinese espionage hackers have made “mass attempts” to exploit multiple vulnerabilities impacting Ivanti Connect Secure, the popular remote access VPN software used by thousands of corporations and large organizations worldwide. Mandiant said earlier this week that the China-backed hackers tracked as a threat group it calls UNC5325 had targeted organizations across a variety of industries. This includes the U.S. defense industrial base sector, a worldwide network of thousands of private sector organizations that provide equipment and services to the U.S. military, Mandiant said, citing earlier findings from security firm Volexity. Akamai said in an analysis published last week that hackers are launching approximately 250,000 exploitation attempts each day and have targeted more than 1,000 customers.

The confirmation has come directly from the U.S. National Security Agency that hackers are taking advantage of weaknesses in Ivanti’s widely used enterprise VPN appliance to target organizations in the U.S. defense sector.

NSA representative Edward Bennett confirmed in a statement sent via email to TechCrunch on Friday that, along with other interagency partners, the intelligence agency is closely monitoring the widespread repercussions caused by the recent exploitation of Ivanti products, including within the defense sector of the United States.

“The Cybersecurity Collaboration Center of the NSA is working alongside our partners to detect and mitigate this concerning activity,” added the spokesperson.

This confirmation of the NSA’s involvement in tracking these cyberattacks comes just days after Mandiant reported that a group of suspected Chinese hackers, referred to as UNC5325, have made “mass attempts” to exploit numerous vulnerabilities found in Ivanti Connect Secure, a popular software used for remote access VPN by countless corporations and large organizations globally.

Mandiant stated earlier this week that the group UNC5325, believed to be backed by China’s espionage activities, have targeted a variety of industries, including the U.S. defense industrial base sector which comprises thousands of private organizations spread worldwide that supply equipment and services to the U.S. military, according to findings from security firm Volexity.

In their findings, Mandiant underlined UNC5325’s “significant knowledge” of Ivanti Connect Secure appliance and the use of living-off-the-land techniques, meaning they are making use of legitimate tools and features already present in the targeted systems to better evade detection. Moreover, these China-backed hackers have also resorted to novel malware, allowing them to stay embedded in Ivanti devices even in cases of factory resets, system upgrades, and application of patches.

This viewpoint was corroborated in the warning advisory published by the United States cybersecurity agency, CISA, on Thursday, which cautioned that hackers exploiting the vulnerable Ivanti VPN appliances can potentially maintain root-level persistence even after performing factory resets. The federal cybersecurity agency tested the integrity of Ivanti’s software and found that confirmed hackers have managed to fool their Integrity Checker Tool, resulting in a “failure to detect compromise.”

In response to CISA’s findings, Ivanti’s chief information security officer, Mike Riemer, downplayed the results and told TechCrunch that Ivanti does not consider CISA’s test to be applicable to a live customer environment. Additionally, Riemer mentioned that there are currently no known instances of successful threat actor persistence after implementing recommended security updates and factory resets, as recommended by Ivanti.

It is still unknown how many of Ivanti’s customers have been affected by the widespread exploitation of Connect Secure’s vulnerabilities that commenced back in January. According to Akamai’s analysis published last week, these hackers are launching around 250,000 attempts to exploit the vulnerabilities on a daily basis, while having targeted over 1,000 customers so far.

Avatar photo
Max Chen

Max Chen is an AI expert and journalist with a focus on the ethical and societal implications of emerging technologies. He has a background in computer science and is known for his clear and concise writing on complex technical topics. He has also written extensively on the potential risks and benefits of AI, and is a frequent speaker on the subject at industry conferences and events.

Articles: 799

Leave a Reply

Your email address will not be published. Required fields are marked *