Explore Nominet's VPN breach, the Ivanti zero-day vulnerability, and cybersecurity insights to protect critical infrastructure from advanced threats

Continue reading
In recent weeks, Nominet, the official .UK domain registry and one of the largest country code registries globally, confirmed a significant cybersecurity incident. The breach, reported to have occurred via a zero-day vulnerability in Ivanti Connect Secure, affected Nominet’s systems, prompting widespread scrutiny of the vulnerabilities in remote access software. The breach is a stark reminder of the continuous threats faced by organizations managing critical infrastructure, especially those handling domain name services and cyber defense systems.
This Threatfeed dives into the incident’s details, explaining the Ivanti VPN zero-day vulnerability, the malware used in the attack, and the steps organizations should take to protect themselves from similar risks.
On January 13, 2025, Nominet reported a breach within its systems due to a critical vulnerability in Ivanti Connect Secure. This vulnerability, tracked as CVE-2025-0282, allowed attackers to exploit a weakness in the VPN software’s remote access functionality. VPNs (Virtual Private Networks) are widely used in organizations for secure remote access to internal networks. They create an encrypted connection, ensuring confidentiality and integrity during data transmission. However, vulnerabilities in VPN systems can be exploited to gain unauthorized access to sensitive systems and data, as demonstrated by this incident.
Ivanti, the vendor behind Ivanti Connect Secure, had been tracking this vulnerability since mid-December 2024. The company reported that the vulnerability was actively being exploited by hackers, particularly targeting its VPN appliances. These exploits utilized a custom malware toolkit, Spawn, which is believed to be associated with a China-linked espionage group, UNC5337. This highlights a growing trend of state-sponsored cyber espionage groups using sophisticated malware to infiltrate high-value targets like Nominet, which handles over 11 million .uk domains, including government entities like .gov.uk.
The breach occurred when attackers exploited the Ivanti VPN vulnerability to infiltrate Nominet's network. It is essential to note that the attackers employed two specific types of malware during the breach: Spawn and Dryhook (and Phasejam). Spawn is a toolkit commonly linked to advanced persistent threat (APT) groups, while Dryhook and Phasejam are newer forms of malware that could potentially evolve into tools used for widespread espionage campaigns. These malware types allow attackers to maintain persistent access and deploy additional malicious payloads within compromised networks.
In addition to these custom malware tools, cybersecurity experts, including Mandiant, reported that over 3,600 Industrial Control Systems (ICS) appliances were exposed to the internet after Ivanti’s release of a patch for the zero-day vulnerability. This revelation underscores the severe security risks associated with unsecured VPNs in critical sectors such as energy, government, and industrial systems.
Following the detection of suspicious activity within its network, Nominet took immediate steps to mitigate the impact of the breach. The organization reported the attack to relevant authorities, including the National Cyber Security Centre (NCSC), and restricted VPN access to its systems. Furthermore, Nominet initiated an ongoing investigation to assess the full scope of the breach.
Although the company has not found any evidence of backdoors or data leakage, the event highlights the critical importance of adopting stringent cybersecurity measures. The fact that the attack originated through third-party software (Ivanti Connect Secure) emphasizes the potential vulnerabilities introduced by reliance on external vendors for essential security infrastructure.
It is also worth noting that Nominet no longer operates the UK’s Protective Domain Name Service (PDNS) as of September 2024. PDNS was a vital service protecting over 1,200 organizations and more than 7 million end users from cyber threats. Nominet’s ability to protect UK organizations through this service, while facing ongoing scrutiny due to this breach, puts a spotlight on the importance of having resilient, secure systems in place, especially in the realm of domain name services.
Nominet’s role as the registry operator for the .uk domain namespace is crucial to the functioning of the internet infrastructure in the UK. As one of the largest country code registries, Nominet manages millions of domain names, including highly sensitive government and organizational domains. A breach involving Nominet could have far-reaching consequences for the integrity of the UK's domain registration system. Thankfully, Nominet has assured its customers that domain registration and management systems continue to operate normally.
Despite the breach, Nominet has indicated that no data breach or leakage has occurred. The company’s registry systems are reportedly protected by robust firewalls and restricted access protocols, which could have helped limit the potential fallout from this attack. However, the security incident serves as a stark reminder of the vulnerabilities in even the most trusted infrastructure.
The Nominet breach serves as a critical learning point for organizations, especially those operating in domains related to cybersecurity, critical infrastructure, and government services. Here are several key takeaways:
The Nominet breach is just one example of the ever-evolving landscape of cyber threats. Attackers continue to refine their methods, using sophisticated malware, exploiting zero-day vulnerabilities, and targeting critical infrastructure. While Nominet’s response has been proactive, the incident serves as a wake-up call for organizations worldwide to invest in robust cybersecurity measures and adopt a zero-trust approach to network security.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.