US defense sector under attack by China-backed hackers, with NSA confirming Ivanti VPN exploits are to blame

Computer chip with US and China flag
(Image credit: Shutterstock)

The Ivanti enterprise VPN application is being exploited by hackers to target the US defense sector, the US National Security Agency has confirmed.

The US defense sector provides equipment and technology for the US military, which makes a potential compromise by China-backed groups significantly concerning.

Speaking to TechCrunch, NSA spokesperson Edward Bennett said that the agency is “tracking and aware of the broad impact from the recent exploitation of Ivanti products, to include of the [sic] U.S defense sector.”

 250,000 exploitation attempts every day

Previous to the NSA confirmation, Mandiant stated a China-backed group tracked as UNC5325 was actively exploiting Ivanti Connect Secure software to infiltrate thousands of organizations around the globe. The exploits in question are being tracked as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893.

The UNC5325 group conducts complex attacks and uses techniques such as living-off-the-land to remain incognito when infiltrating the target organizations. The US Cybersecurity & Infrastructure Security Agency (CISA) released an advisory, stating that independent research conducted in a lab environment suggests that the group may be able to remain active within compromised devices even after a factory reset, although evidence of this persistence has not been seen outside of the lab.

It is also possible to fool the built in Ivanti Integrity Checker Tool during an attack leading to the tool’s “failure to detect compromise” according to CISA’s own tests. Furthermore, a report published by Akamai says that the UNC5325 group could be conducting as many as 250,000 attacks every day across a range of more than 1,000 customers.

Ivanti field CISO Mike Riemer told TechCrunch the company “is not aware of any instances of successful threat actor persistence following implementation of the security updates and factory resets recommended by Ivanti.”

The attacks have been taking place since as early as January 2024, but the Biden Administration has been taking steps to boost national security by improving cybersecurity at ports and pressuring companies to move towards memory-safe programming languages.

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict Collins is a Staff Writer at TechRadar Pro covering privacy and security. Before settling into journalism he worked as a Livestream Production Manager, covering games in the National Ice Hockey League for 5 years and contributing heavily to the advancement of livestreaming within the league. Benedict is mainly focused on security issues such as phishing, malware, and cyber criminal activity, but he also likes to draw on his knowledge of geopolitics and international relations to understand the motives and consequences of state-sponsored cyber attacks.

He has a MA in Security, Intelligence and Diplomacy, alongside a BA in Politics with Journalism, both from the University of Buckingham. His masters dissertation, titled 'Arms sales as a foreign policy tool,' argues that the export of weapon systems has been an integral part of the diplomatic toolkit used by the US, Russia and China since 1945. Benedict has also written about NATO's role in the era of hybrid warfare, the influence of interest groups on US foreign policy, and how reputational insecurity can contribute to the misuse of intelligence.

Outside of work Ben follows many sports; most notably ice hockey and rugby. When not running or climbing, Ben can most often be found deep in the shrubbery of a pub garden.