NSA Tracking Chinese Cyberattacks on US Defense Sector – Guy D. McCardle
A Significant Impact
The U.S. National Security Agency (NSA) has acknowledged that it is actively tracking and addressing the significant impact of cyberattacks exploiting vulnerabilities in Ivanti’s enterprise VPN appliance, mainly targeting the U.S. defense sector. This confirmation follows reports by cybersecurity firm Mandiant, which identified suspected Chinese espionage hackers making extensive attempts to exploit multiple vulnerabilities in Ivanti Connect Secure. This software is crucial for remote access VPN services used globally by numerous corporations and large organizations.
In a statement emailed to leading technology media outlet TechCrunch on March 1st, Edward Bennett, a spokesperson for the NSA, revealed that the agency, together with its interagency partners, is “tracking and aware of the broad impact from the recent exploitation of Ivanti products, to include of the [sic] U.S defense sector.”
Hackers Identified
Mandiant has tracked the activities of these hackers, identified as threat group UNC5325, noting their focus on organizations within various industries, including the U.S. defense industrial base sector. This sector comprises thousands of private sector organizations that supply equipment and services to the U.S. military. Mandiant’s analysis highlights UNC5325’s deep understanding of the Ivanti Connect Secure appliance and its use of sophisticated techniques to evade detection. This includes the deployment of novel malware designed to maintain a presence on Ivanti devices despite factory resets, system upgrades, and patches.
Software Vulnerabilities Exposed
Furthermore, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory warning about the potential for hackers exploiting Ivanti VPN appliances to achieve root-level persistence, even after factory resets. CISA’s independent tests revealed vulnerabilities in Ivanti’s Integrity Checker Tool, which could fail to detect compromises. Despite these findings, Ivanti’s response, articulated by their field chief information security officer, Mike Riemer, suggests a downplaying of CISA’s concerns. Riemer contends that the test scenarios outlined by CISA may not be applicable in real-world customer environments and claims that Ivanti is unaware of any successful threat actor persistence following the recommended security updates and factory resets.
250,000 Exploitation Attempts per Day
The scale of the exploitation attempts is vast, with cloud computing and security giant Akamai reporting around 250,000 exploitation attempts daily, targeting over 1,000 customers. The exact number of Ivanti customers affected by these vulnerabilities, first exploited in January, remains unclear. This situation underscores the critical challenge of securing network infrastructure against sophisticated cyber threats, especially those backed by nation-states with significant resources and expertise in cyber espionage. The ongoing collaboration between national security agencies and private sector cybersecurity firms is crucial in detecting, mitigating, and preventing such cyberattacks to protect national security and critical infrastructure.
