UK domain registry Nominet confirms breach via Ivanti zero-day

Nominet, the official .UK domain registry and one of the largest country code registries, has confirmed that its network was breached two weeks ago using an Ivanti VPN zero-day vulnerability.

The company manages and operates over 11 million .uk, .co.uk, and .gov .uk domain names and other top-level domains, including .cymru and .wales.

It also runs the UK's Protective Domain Name Service (PDNS) on behalf of the country's National Cyber Security Centre (NCSC), protecting more than 1,200 organizations and over 7 million end users.

Nominet is still investigating the incident but has not found evidence of any backdoors deployed on its systems, as first report by ISPreview.

Since it detected suspicious activity on its network, the company has reported the attack to relevant authorities, including the NCSC, and restricted access to its systems via VPN connections.

"The entry point was through third-party VPN software supplied by Ivanti that enables our people to access systems remotely," Nominet says in a customer notice shared with BleepingComputer.

"However, we currently have no evidence of data breach or leakage. We already operate restricted access protocols and firewalls to protect our registry systems. Domain registration and management systems continue to operate as normal."

Nominet customer notice (BleepingComputer)

Attacks linked to suspected Chinese hackers

While the company didn't share more information on the VPN zero-day used in the attack, Ivanti said last week that hackers have been exploiting a critical Ivanti Connect Secure zero-day vulnerability (tracked as CVE-2025-0282) to breach a limited number of customers' appliances.

According to cybersecurity company Mandiant (part of Google Cloud), the attackers started leveraging this vulnerability in mid-December, using the custom Spawn malware toolkit (linked to a suspected China-linked espionage group tracked as UNC5337).

They've also deployed new Dryhook and Phasejam malware (not currently associated with a threat group) on compromised VPN appliances.

Macnica researcher Yutaka Sejiyama told BleepingComputer that over 3,600 ICS appliances were exposed online when Ivanti released a patch for the zero-day on Wednesday.

In October, Ivanti released more security updates to fix three other Cloud Services Appliance (CSA) zero-days that were also actively exploited in attacks.