Jan 26, 2024 - Technology

Ivanti flaws could hurt defense contractors

Animated illustration of an army helmet adorned with the presidential seal which holds a rotating loading icon spinning.

Illustration: Annelise Capossela/Axios

Weeks into the mass exploitation of security flaws in some Ivanti VPN products, defense and intelligence officials are still trying to piece together whether hackers are burrowing into military contractors' networks.

Why it matters: Nation-state spies and cybercriminals are continuing to exploit unpatched flaws in Ivanti software that the Department of Defense and many of its contractors use in their systems.

Driving the news: A senior National Security Agency official told reporters Wednesday that several defense contractors — mostly small to medium-sized organizations — have told the agency that they're investigating potential hacks tied to the Ivanti vulnerabilities.

  • However, the official couldn't say precisely how many contractors are affected while investigations are underway and organizations respond to incidents that could involve any of the myriad security flaws disclosed in recent months.
  • "We have seen a lot of companies [responding to potential intrusions]," the official added. "It's widespread."

Catch up quick: In the weeks since Ivanti unveiled two unpatched security vulnerabilities in its widely used Connect Secure and Policy Secure VPNs, hackers have been targeting the devices on a massive scale.

  • The Cybersecurity and Infrastructure Security Agency said last week that it's investigating potential hacks at some of the roughly 15 agencies using affected Ivanti products.
  • Reports estimate that hundreds of VPNs have been compromised, and Ivanti has yet to release a patch.

The big picture: The defense industrial base includes more than 100,000 contractors and their subcontractors, many of which are small to medium-sized businesses.

  • Because of this, it's difficult to say precisely how many defense companies are responding to intrusions and what the scope or significance a potential hack could have, the senior NSA official added.

The other side: Steve Shirley, executive director of cyber threat intel-sharing group National Defense ISAC, told Axios via email that the recent Ivanti disclosures "produced no particular drama" among the organization's approximately 150 members.

  • However, Shirley noted that the experience of the group's member organizations — which include a mix of giants like Lockheed Martin and smaller contractors — might not be the same across the entire base given his members are "sharply focused" on cybersecurity.
  • The Pentagon did not respond to multiple requests for comment.

Between the lines: Last year, federal officials uncovered a wide-reaching, China-linked campaign designed to take down U.S. military organizations and critical infrastructure.

  • "Somehow the Chinese have managed to reverse-engineer a lot of our military equipment, and there's a reason for that," Padraic O'Reilly, founder and chief innovation officer at CyberSaint Security, told Axios.

Zoom out: The Defense Department has spent recent years trying to tighten up cybersecurity across the defense industrial base, especially given the growing interest from China, Russia and other nation-state hackers in targeting insecure contractors in espionage campaigns.

  • Defense companies are staring down new cybersecurity requirements — including those surrounding patch management — in government contracts, O'Reilly said.
  • "I'm much more optimistic than I was last year and the year before," O'Reilly said. "[The federal government is] stepping it up, and if you want to sell to the federal government, you're going to have to do certain things and you're going to have to be able to prove it now."

What we're watching: Expect new details in the coming weeks about how the defense sector is responding to incidents tied to Ivanti and other software providers.

Go deeper