Chinese hackers exploited VPN backdoor to breach 120 organisations, report reveals

Chinese state-sponsored hackers exploited a secret backdoor in VPN software to breach the networks of at least 120 organisations, including government agencies and military contractors, according to a new report by Bloomberg. The breach, which occurred through a subsidiary of software giant Ivanti, remained undisclosed to the public until now.

The incident, discovered in February 2021, involved Pulse Secure, a provider of virtual private network appliances acquired by Ivanti. Hackers planted a backdoor within the VPN software, which they then used to gain persistent, undetected access to customer networks across Europe and the United States.

Institutional Knowledge Lost in Cost-Cutting

Bloomberg's investigation links the security failure to broader corporate strategy following Ivanti's 2017 acquisition by private equity firm Clearlake Capital Group. Subsequent rounds of layoffs, particularly in 2022, reportedly led to the departure of employees with deep institutional knowledge of the company's core products and their security frameworks.

“The cuts affected employees who had deep institutional knowledge of the company’s products and their security,” the report states, suggesting a direct impact on product oversight. Cybersecurity firm Mandiant was aware of the breaches and had alerted Ivanti that the flaw was being used to target military contractors.

A Pattern of Critical Vulnerabilities

This newly revealed incident is not isolated. Ivanti's VPN products have been at the centre of multiple critical security crises in recent years. In early 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) took the extraordinary step of ordering all federal agencies to disconnect their Ivanti VPN appliances within 48 hours due to active exploitation of vulnerabilities unknown to the company.

Furthermore, Ivanti warned customers last year that hackers were exploiting another critical flaw in its Connect Secure product to compromise corporate networks. The pattern echoes issues seen at rival firm Citrix, which also experienced significant layoffs and a surge in cybersecurity incidents following a private equity takeover in 2022.

Neither Ivanti nor Mandiant responded to requests for comment on the Bloomberg report. The revelation underscores the persistent threat posed by state-sponsored actors targeting fundamental network security tools and raises questions about the impact of private equity-driven cost-cutting on long-term cybersecurity resilience.