Full Report
ConnectWise, the developer of remote access and support software ScreenConnect, has disclosed that it was the victim of a cyber attack that it said was likely perpetrated by a nation-state threat actor. "ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation-state actor, which affected a very small number of ScreenConnect
Analysis Summary
# Incident Report: ConnectWise Targeted Breach by Nation-State Actor
## Executive Summary
ConnectWise, the developer of ScreenConnect software, disclosed a sophisticated cyberattack believed to be perpetrated by a nation-state actor, targeting a small number of their ScreenConnect customers. The company detected suspicious activity and immediately engaged Google Mandiant to conduct forensics, while implementing enhanced security measures across its environment. The incident highlights the ongoing risk associated with remote access tooling and potential exploitation of previously patched vulnerabilities.
## Incident Details
- Discovery Date: May 28, 2025 (Date ConnectWise learned of activity)
- Incident Date: Sometime prior to May 28, 2025
- Affected Organization: ConnectWise (Affecting a "very small number" of ScreenConnect customers)
- Sector: Software/Technology (Remote Access & Support)
- Geography: Not explicitly disclosed
## Timeline of Events
### Initial Access
- Date/Time: Undisclosed
- Vector: Suspected sophisticated nation-state actor targeting the environment. (Potential link to recent vulnerability CVE-2025-3935 is mentioned but **not confirmed** linked to this specific incident).
- Details: Suspicious activity was observed within the ConnectWise environment affecting some ScreenConnect customers.
### Lateral Movement
- Details: Information regarding lateral movement is not disclosed in the advisory.
### Data Exfiltration/Impact
- Details: The nature or scope of data compromised is not disclosed, though the incident is significant enough to warrant a nation-state attribution suspicion.
### Detection & Response
- Date/Time: On or just before May 28, 2025 (Discovery Date)
- Details: ConnectWise learned of suspicious activity, notified affected customers, engaged Google Mandiant for forensic investigation, and implemented enhanced monitoring and hardening measures.
## Attack Methodology
- Initial Access: Sophisticated nation-state actor activity (Specific method unknown; prior CVE-2025-3935 exploitation is a potential vector but unconfirmed).
- Persistence: Not disclosed.
- Privilege Escalation: Not disclosed.
- Defense Evasion: Implied to be sophisticated given the suspected nation-state attribution.
- Credential Access: Not disclosed.
- Discovery: Not disclosed.
- Lateral Movement: Not disclosed.
- Collection: Not disclosed.
- Exfiltration: Not disclosed.
- Impact: Compromise of a "very small number" of ScreenConnect customer environments possibly via ConnectWise infrastructure.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Type/volume unknown, affected systems included ScreenConnect customer environments.
- Operational: No details on operational disruption at ConnectWise itself were given, though customer operations utilizing ScreenConnect may be impacted.
- Reputational: Disclosure itself likely impacts trust in the ScreenConnect product ecosystem.
## Indicators of Compromise
- Network indicators: None disclosed (Must assume specific technical details were withheld pending Mandiant investigation).
- File indicators: None disclosed.
- Behavioral indicators: Suspicious activity observed within the environment.
## Response Actions
- Containment measures: Not detailed, but security hardening and enhanced monitoring were implemented.
- Eradication steps: Forensics engagement (Google Mandiant) suggests eradication is underway based on findings.
- Recovery actions: Company states they have **not observed any further suspicious activity** in customer instances.
## Lessons Learned
- The environment was targeted by sophisticated actors, reinforcing the risk associated with widely deployed remote access software (ScreenConnect).
- A high-severity vulnerability (CVE-2025-3935) was patched shortly before the detection, suggesting potential linkage to prior zero-day exploitation trends affecting this product.
## Recommendations
- Organizations utilizing ConnectWise ScreenConnect should urgently verify their patches, especially concerning CVE-2025-3935.
- Implement strict network segmentation and monitoring around all remote access solutions.
- Review logs and authentication methods associated with ScreenConnect services for any signs of nation-state TTPs.