Report: Chinese hackers exploited VPN flaws to breach Ivanti customers
▼ Summary
– In February 2021, Chinese hackers breached Ivanti’s Pulse Secure VPN subsidiary by exploiting a secret backdoor they had planted in the software.
– This backdoor allowed the hackers to access the networks of 119 other organizations using the same VPN product, including European and U.S. military contractors.
– The breach is linked to private equity-driven cost-cutting and layoffs after Ivanti’s 2017 acquisition, which compromised product security and institutional knowledge.
– Similar security issues have occurred at rival Citrix, which also experienced layoffs after a private equity buyout and subsequent critical flaws.
– Ivanti’s VPN products have been involved in other major incidents, including a 2024 U.S. government order to disconnect them due to actively exploited vulnerabilities.
A recent report reveals that state-linked Chinese hackers successfully infiltrated the networks of numerous organizations by exploiting a hidden backdoor within Ivanti’s Pulse Secure VPN appliances. This previously undisclosed breach, which occurred in February 2021, allowed the attackers to access the systems of 119 different companies and government agencies. The incident underscores a growing concern about how corporate acquisitions and restructuring can inadvertently weaken cybersecurity defenses, leaving critical infrastructure exposed to sophisticated threats.
According to the report, the hackers had secretly implanted a backdoor into the VPN software. This vulnerability provided them with a persistent foothold, enabling unauthorized access to sensitive networks. The breach was not isolated to a single entity; security firm Mandiant also became aware of the intrusions, notifying Ivanti that the same flaw had been used to compromise European and U.S. military contractors.
This security failure is being linked to broader corporate changes within Ivanti. Following its acquisition by private equity firm Clearlake Capital Group in 2017, the company underwent significant cost-cutting measures and layoffs. These reductions reportedly affected staff with deep, irreplaceable knowledge of the company’s product security, potentially degrading the quality and oversight of its most vital technologies. The pattern mirrors issues seen at other cybersecurity firms, such as Citrix, which faced similar challenges after its own private equity buyout and subsequent workforce reductions.
Ivanti’s products have remained a target in the years since. In early 2024, the urgency of the situation was highlighted when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive. The order compelled all federal agencies to disconnect their Ivanti VPN appliances within 48 hours due to active exploitation of severe vulnerabilities that were, at the time, unknown to the vendor. Furthermore, Ivanti had to warn customers the previous year about hackers exploiting another critical flaw in its Connect Secure product to attack corporate networks.
The company and Mandiant did not provide comments on the newly reported 2021 breach. This event adds to a troubling history of incidents tied to Ivanti’s VPN solutions, demonstrating the persistent risks associated with remote access tools and the cascading security impacts of corporate financial maneuvers.
(Source: TechCrunch)
