US defense sector under attack by China-backed hackers, with NSA confirming Ivanti VPN exploits are to blame

News
By published

US industrial base compromised by China-backed hackers

Computer chip with US and China flag
(Image credit: Shutterstock)

The Ivanti enterprise VPN application is being exploited by hackers to target the US defense sector, the US National Security Agency has confirmed.

The US defense sector provides equipment and technology for the US military, which makes a potential compromise by China-backed groups significantly concerning.

Speaking to TechCrunch, NSA spokesperson Edward Bennett said that the agency is “tracking and aware of the broad impact from the recent exploitation of Ivanti products, to include of the [sic] U.S defense sector.”

 250,000 exploitation attempts every day

Previous to the NSA confirmation, Mandiant stated a China-backed group tracked as UNC5325 was actively exploiting Ivanti Connect Secure software to infiltrate thousands of organizations around the globe. The exploits in question are being tracked as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893.

The UNC5325 group conducts complex attacks and uses techniques such as living-off-the-land to remain incognito when infiltrating the target organizations. The US Cybersecurity & Infrastructure Security Agency (CISA) released an advisory, stating that independent research conducted in a lab environment suggests that the group may be able to remain active within compromised devices even after a factory reset, although evidence of this persistence has not been seen outside of the lab.

It is also possible to fool the built in Ivanti Integrity Checker Tool during an attack leading to the tool’s “failure to detect compromise” according to CISA’s own tests. Furthermore, a report published by Akamai says that the UNC5325 group could be conducting as many as 250,000 attacks every day across a range of more than 1,000 customers.

Ivanti field CISO Mike Riemer told TechCrunch the company “is not aware of any instances of successful threat actor persistence following implementation of the security updates and factory resets recommended by Ivanti.”

The attacks have been taking place since as early as January 2024, but the Biden Administration has been taking steps to boost national security by improving cybersecurity at ports and pressuring companies to move towards memory-safe programming languages.

More from TechRadar Pro

Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Read more
vpn
Ivanti warns another critical security flaw is being attacked
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
China-linked cyberespionage group PlushDaemon used South Korean VPN service to inject malware
China
Chinese hackers targeting Juniper Networks routers, so patch now
An illustration of a silhouetted thief in motion running while carrying a stolen fingerprint
The 5 worst cyberattacks of 2024
An American flag flying outside the US Capitol building against a blue sky
US military and defense contractors hit with Infostealer malware
Latest in VPN Privacy & Security
Swiss flag with view of Geneva city, Switzerland
Secure encryption and online anonymity are now at risk in Switzerland – here's what you need to know
Demonstrators protesting against the arrest of the Mayor of Istanbul Ekrem Imamoglu block Atatürk Boulevard on March 22, 2025 in Ankara, Türkiye.
Turkey's social media ban has been lifted, but VPN usage is still high
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
Digital hand set location on map with two pins. AI technology in GPs, innovation delivery, map location, future transport logistic, route path concept. GPs point. New office location, change address
What does your IP address reveal about you?
A stethoscope next to a laptop on a pink background
How to check if your VPN is working
Teenager playing on a gaming PC with two monitors
Is using a VPN while gaming cheating? 5 myths you shouldn't believe about gaming with a VPN
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does
More about vpn privacy security
Swiss flag with view of Geneva city, Switzerland

Secure encryption and online anonymity are now at risk in Switzerland – here's what you need to know
NordVPN CTO Marijus Briedis speaking at a panel during RightsCon 2025 in Taipei, Taiwan, on February 25.

Cyber threats are evolving everywhere – and "prevention alone is insufficient," says NordVPN CTO
Cyclists on cobbled ahead of the E3 Saxo Bank Classic live stream 2025

E3 Saxo Bank Classic live stream 2025: How to watch WorldTour cycling online from anywhere
See more latest
Most Popular
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
HP ZBook Ultra G1a
HP's ridiculously fast Ryzen AI Max+ Pro 395 laptop with 128GB RAM goes on sale everywhere in the US, but it won't be cheap
A mobile phone showing the Signal logo in front of a screen showing the app
Signalgate explained: what is Signal, and how secure is the messaging app?
Asus Ascent GX10 Rear
Asus's more affordable version of Nvidia's uber-popular Project Digits snapped at GTC 2025
iPhone 13 mini
The iPhone mini won't be returning, according to rumors – and you think that's a mistake
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA