Nominet, the official registry for .UK domains and one of the largest country code registries globally, has disclosed a network breach stemming from the exploitation of an Ivanti VPN zero-day vulnerability.
The organization manages over 11 million domain names across .uk, .co.uk, and .gov.uk, as well as other top-level domains like .cymru and .wales. Until September 2024, Nominet also operated the U.K.'s Protective Domain Name Service (PDNS) on behalf of the National Cyber Security Centre (NCSC), safeguarding more than 1,200 organizations and over 7 million users.
Ongoing Investigation and Initial Findings
Nominet detected suspicious activity two weeks ago and is actively investigating the breach. According to a statement shared with BleepingComputer, the organization has found no evidence of backdoors being deployed on its systems. The company has reported the attack to relevant authorities, including the NCSC, and has restricted access to its systems via VPN connections as a precautionary measure.
"The entry point was through third-party VPN software supplied by Ivanti that enables our people to access systems remotely," Nominet stated in a notice to customers. "However, we currently have no evidence of data breach or leakage. We already operate restricted access protocols and firewalls to protect our registry systems. Domain registration and management systems continue to operate as normal."
Details on the Exploited Vulnerability
The breach exploited a critical Ivanti Connect Secure zero-day vulnerability, tracked as CVE-2025-0282, which has been under active attack since mid-December. Ivanti released a patch for this vulnerability last week. Research from Macnica revealed that over 3,600 Ivanti Connect Secure (ICS) appliances were exposed online when the patch was deployed.
Suspected Chinese Espionage Link
According to cybersecurity firm Mandiant, which is part of Google Cloud, the attackers have ties to a suspected Chinese espionage group known as UNC5337. They reportedly used a custom malware toolkit named Spawn during these attacks. Additionally, new malware strains, including Dryhook and Phasejam, were deployed on compromised VPN appliances, though these have not yet been linked to a specific threat group.
Broader Implications
This is not the first time Ivanti vulnerabilities have been exploited. In October, the company patched three zero-day flaws in its Cloud Services Appliance (CSA) software that were also actively exploited by threat actors.
Nominet’s swift response and the absence of evidence indicating a data breach have minimized immediate risks. However, the incident highlights the growing threat posed by zero-day vulnerabilities, particularly those exploited by sophisticated adversaries targeting critical infrastructure.
Organizations are urged to review and update their security protocols, apply patches promptly, and monitor for unusual activity, especially if using Ivanti products.
0 Comments