Ivanti vulnerabilities exploited by Volt Typhoon, four other groups targeting US energy and defense sectors
These five groups identified are linked to China. In addition to the five Chinese groups, Mandiant observed three cybercriminal operations exploiting the vulnerabilities.
Numerous hacking groups, including Volt Typhoon, are exploiting the vulnerabilities targeting Ivanti, an IT software company.
Warnings issued by the US Cybersecurity and Infrastructure Security Agency (CISA) and several prominent cybersecurity agencies globally have underscored the severity of these vulnerabilities, labelled CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893.
A report from Mandiant, a security firm owned by Google, highlights the emergence of multiple clusters of activity exploiting these vulnerabilities, particularly impacting Ivanti Connect Secure and Ivanti Policy Secure gateways.
The researchers at Mandiant commenced tracking a group, possibly Volt Typhoon, in February. This group, identified in association with TAG-87 and BRONZE SILHOUETTE, has been targeting the energy and defence sectors within the US Since Ivanti publicly disclosed the vulnerabilities on 10 January, four other China-based groups have been identified as exploiting these vulnerabilities.
Apart from suspected state-sponsored espionage groups affiliated with China, Mandiant has also detected financially motivated actors leveraging CVE-2023-46805 and CVE-2024-21887, likely for activities such as crypto-mining. In addition to the five Chinese groups, Mandiant observed three cybercriminal operations exploiting the vulnerabilities.
The report primarily scrutinises the activities of five China-nexus clusters involved in intrusions. One of these clusters, UNC5221, had exploited CVE-2023-46805 and CVE-2024-21887 before Ivanti’s disclosure. However, Volt Typhoon did not successfully compromise Ivanti Connect Secure. Mandiant’s investigations revealed four distinct malware families used in tandem to establish stealthy and persistent backdoors, facilitating long-term access and evasion of detection.
The intruders used their access to delve deeper into the victims’ networks, often compromising tools from Microsoft and VMware. Patches for all three vulnerabilities are currently available. Mandiant’s report coincides with Ivanti’s CEO announcing a series of operational changes following a string of high-profile incidents.
About author
Anastasiya Kazakova
Anastasiya Kazakova is a cyber diplomacy knowledge fellow at DiploFoundation, focusing on cyber conflict, cybercrime, and cybersecurity topics. Anastasiya also implements the Geneva Dialogue on Responsible Behaviour in Cyberspace.