US defense sector under attack by China-backed hackers, with NSA confirming Ivanti VPN exploits are to blame

US industrial base compromised by China-backed hackers

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The Ivanti enterprise VPN application is being exploited by hackers to target the US defense sector, the US National Security Agency has confirmed.

The US defense sector provides equipment and technology for the US military, which makes a potential compromise by China-backed groups significantly concerning.

Speaking toTechCrunch, NSA spokesperson Edward Bennett said that the agency is “tracking and aware of the broad impact from the recent exploitation of Ivanti products, to include of the [sic] U.S defense sector.”

250,000 exploitation attempts every day

Previous to the NSA confirmation, Mandiantstateda China-backed group tracked as UNC5325 was actively exploiting Ivanti Connect Secure software to infiltrate thousands of organizations around the globe. The exploits in question are being tracked as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893.

The UNC5325 group conducts complex attacks and uses techniques such as living-off-the-land to remain incognito when infiltrating the target organizations. The US Cybersecurity & Infrastructure Security Agency (CISA) released anadvisory, stating that independent research conducted in a lab environment suggests that the group may be able to remain active within compromised devices even after a factory reset, although evidence of this persistence has not been seen outside of the lab.

It is also possible to fool the built in Ivanti Integrity Checker Tool during an attack leading to the tool’s “failure to detect compromise” according to CISA’s own tests. Furthermore, a report published by Akamaisaysthat the UNC5325 group could be conducting as many as 250,000 attacks every day across a range of more than 1,000 customers.

Ivanti field CISO Mike Riemer toldTechCrunchthe company “is not aware of any instances of successful threat actor persistence following implementation of the security updates and factory resets recommended by Ivanti.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The attacks have been taking place since as early as January 2024, but the Biden Administration has been taking steps to boost national security by improvingcybersecurity at portsand pressuring companies to move towardsmemory-safe programming languages.

More from TechRadar Pro

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division),  then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Is it still worth using Proton VPN Free?

Mozambique VPN usage soars as internet restrictions continue

I’ve used Genmoji and now I’m convinced Apple Intelligence will be a huge success