Remote monitoring and management (RMM) software provider ConnectWise on May 28 reported that an undisclosed nation-state actor has affected “a very small number” of its ScreenConnect customers.
The company, which reportedly has 45,000 managed service provider (MSP) customers, launched an investigation with Google Mandiant in response. The firm said it has contacted all affected customers and was coordinating with law enforcement.
“As part of our work with Mandiant, we implemented enhanced monitoring and hardening measures across our environment,” said the
ConnectWise advisory. “We have not observed any further suspicious activity in any customer instances.”
ConnectWise also said it was closely monitoring the situation and will share additional information as it becomes available.
As of Friday afternoon, the identity of the specific state actor or the customers affected was not known. ConnectWise’s last communication was this past Wednesday; an email effort Friday asking the company for comment was unsuccessful.
“Targeting a widely deployed MSP remote management platform reveals strategic intent to gain persistent footholds, leverage trusted supply chain relationships, escalate privileges across multiple victim networks, harvest sensitive intellectual property, and conduct lateral movement under stealth across critical infrastructure ecosystems,” said Nic Adams, co-founder and CEO of 0rcus. “The overall magnitude of sophistication and selection remains indicative of geopolitical espionage priorities, resource-backed operational depth, plus supply chain compromise as an asymmetric force multiplier.”
John Bambenek, president at Bambenek Consulting, said the ConnectWise advisory highlighted a growing trend that nation-state actors are going to MSPs and technology providers as a gateway into their true victims’ environments.
“MSPs and service providers should take increased vigilance knowing that if such a breach occurs, they could be liable if they are found to have lax security practices,” said Bambenek.
Toby Gouker, chief security officer at First Health Advisory, added that the cybersecurity insurance firm At-Bay Research
reported last year that remote-access tools were the primary intrusion vector for nearly 60% of ransomware attacks in 2023.
Gouker, an
SC Media columnist, said with this level of success, nation-state actors will continue to use tools such as ConnectWise ScreenConnect, AnyDesk, TeamViewer, Atera, and Splashtop as a primary entry point for conducting espionage, ransomware, and other forms of cyberattacks.
“These attacks exploit the legitimate and trusted remote management tools for their vulnerabilities along with using the tools to launch social-engineering attacks,” said Gouker.
Gouker pointed out the various instances in which nation-state groups have exploited such RMM tools.
The Iranian-linked group Static Kitten was reported to use RMM tools to establish access within target networks.
North Korean operatives have capitalized on the remote work trend by posing as IT help desk professionals.
Chinese state-sponsored groups have been accused of capitalizing vulnerabilities in remote access solutions. In January of 2024, they allegedly took advantage of a zero-day vulnerabilities in Ivanti Connect Secure then exploited Policy Secure, allowing them to gain unauthorized access to an array of organizations.
Russian-affiliated groups are also active with remote access tools. In June 2024, TeamViewer reported a breach of its corporate IT network by the group known as Cozy Bear. Even though TeamViewer reported that data and product were unaffected, the incident shows a global shift among state actors towards capitalizing on RMM as an entry point. Additionally on the Russia front, Qakbot malware, has been reported to use RMM tools like Atera and Splashtop to establish attackers in networks.
ConnectWise has been tied to various incidents involving exploitation and potential exploitation. In
February 2024, Google Mandiant observed exploitation of a 10.0 ConnectWise ScreenConnect bug,
CVE-2024-1709 that Google Mandiant said compromised hundreds of organizations in the U.S. and Canada.
And last month, ConnectWise
disclosed and patched a high-severity authentication flaw in ScreenConnect –
CVE-2025-3935 – but no exploitation has yet been reported.
