Nation-State Hackers Target Remote Software Vendor ConnectWise

Florida-based remote software vendor ConnectWise has been targeted by a state-sponsored hacking group, which infiltrated its systems and accessed sensitive information. The company warned of the breach earlier this week, stating that it "recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation-state actor."

ConnectWise sells services to managed service providers (MSPs), who hire companies to help manage their IT and computer systems. This raises concerns about the potential scope of the breach, as hackers may have accessed these MSPs' networks and compromised multiple companies.

The incident is believed to have occurred in August 2024, although ConnectWise did not announce it until recently. Cybersecurity researchers suspect that the breach is linked to a ScreenConnect "high" vulnerability called CVE-2025-3935, which can allow hackers to execute malicious computer code on web servers.

ScreenConnect vulnerabilities have previously been exploited by notorious hacking groups, including the Black Basta ransomware operation and North Korea-attributed nation-state group, Kimsuky. According to security vendor Black Point Cyber, these groups have used similar vulnerabilities in the past to gain unauthorized access to systems.

ConnectWise patched the CVE-2025-3935 vulnerability last month, but it's unclear if this was related to the breach. The company has provided few details about the incident, but says it hired Google's cybersecurity unit Mandiant to investigate the breach.

"We have contacted all affected customers and are coordinating with law enforcement," ConnectWise stated in its alert. "As part of our work with Mandiant, we implemented enhanced monitoring and hardening measures across our environment. We have not observed any further suspicious activity in any customer instances."

Despite the limited scope of the breach, it highlights the ongoing threat of nation-state hackers targeting remote software vendors like ConnectWise. As the use of remote access tools and managed services continues to grow, so too does the risk of cyberattacks on these critical infrastructure points.

Investigations by cybersecurity researchers and law enforcement agencies will likely shed more light on the motivations behind this breach and the potential extent of the damage. For now, ConnectWise's efforts to mitigate the risks and protect its customers are a welcome step in the right direction.