Governance & Risk Management , Incident & Breach Response , Patch Management

Mitre Says Hackers Breached Unclassified R&D Network

Threat Actor Exploited Ivanti Zero-Day Vulnerabilities in Cyberattack
Mitre Says Hackers Breached Unclassified R&D Network
Hackes got into an unclassified Mitre network by using Ivanti Connect Secure zero-day vulnerabilities. (Image: Shutterstock)

Mitre, a federally funded research and development center active in cybersecurity research for the U.S. government, said Friday a nation-state threat actor breached one of its unclassified research and development networks.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

The organization took its Networked Experimentation, Research and Virtualization Environment offline after detecting suspicious activity in April, it said in a blog post detailing the attack. An investigation revealed the threat actor exploited two Ivanti Connect Secure zero-day vulnerabilities to target Mitre's Virtual Private Networks, then dug deep into the organization's VMware infrastructure using a compromised administrator account (see: Center for Threat-Informed Defense).

"No organization is immune from this type of cyberattack, not even one that strives to maintain the highest cybersecurity possible," said Jason Providakes, president and CEO of Mitre. He added that the organization decided to disclose the incident due to its commitment "to operate in the public interest and to advocate for best practices that enhance enterprise security."

Mitre declined to provide additional comments about the ongoing investigation into the breach, but said there is currently no indication that its core enterprise network or partner systems were impacted.

The non-profit has spearheaded public-private partnerships at government-owned, contractor-operated research centers for decades, conducting research and prototyping projects in support of various federal agencies and their missions. Mitre currently operates six federally funded research and development centers on behalf of government agency sponsors, including the Departments of Defense, Treasury, Homeland Security and Health and Human Services.

The organization says its federal research and development centers help to provide the government with "organizational advice, long-term institutional memory and deep technical know-how."

Mitre recruited independent digital forensics incident response teams to perform their own analysis of the cyberattack alongside the organization's in-house experts, according to the blog post. The hackers used session hijacking to bypass multi-factor authentication requirements, then "employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials."

The organization initially thought it had secured its systems after upgrading, replacing and hardening its Ivanti system following vendor instructions and an advisory from the Cybersecurity and Infrastructure Security Agency regarding the zero-day vulnerabilities. But Mitre apparently failed to detect the lateral movement into its VMware infrastructure.

"At the time we believed we took all the necessary actions to mitigate the vulnerability," the post read, "but these actions were clearly insufficient."

Once inside the network, the threat actor continued leveraging compromised accounts to exfiltrate data and maintain a persistent presence within the VMware environment. Mitre said it eventually contained the compromised system and established a procedure to migrate projects to new environments, with the highest-priority projects expected to be back online in "clean environments" in fewer than two weeks.

Mitre said it plans to strengthen its defense by implementing additional security measures, enhancing employee training and awareness programs and conducting a comprehensive review of its cybersecurity posture. The organization also said it will aim to identify and address potential weaknesses in its vulnerability assessments and penetration testing.

About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.