Cyber Incident Victim: MITRE
Date:
Jan 2024
Location:
United States of America
Summary
A foreign nation-state threat actor breached MITRE's research and prototyping network by exploiting two Ivanti Connect Secure zero-day vulnerabilities to compromise its VPN, bypassing multi-factor authentication through session hijacking. The attackers laterally moved into VMware infrastructure using a compromised administrator account, deploying backdoors and webshells for persistence and credential harvesting. The organization promptly contained the intrusion by isolating affected systems, initiated forensic investigations with third-party experts, and prioritized restoring secure operational alternatives. While the core enterprise network remained unaffected, the incident highlighted sophisticated adversary capabilities against edge protection devices. MITRE disclosed details to advance industry defenses, emphasizing the attack's use of reconnaissance, lateral movement, and evasion techniques against hardened networks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In April 2024, MITRE confirmed a nation-state cyber intrusion targeting its Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified research and prototyping network providing storage, computing, and networking resources. The attack began with adversary reconnaissance in January 2024, followed by exploitation of two Ivanti Connect Secure VPN zero-day vulnerabilities. The threat actor bypassed multi-factor authentication through session hijacking, gained initial access, and moved laterally into VMware infrastructure using a compromised administrator account. Attackers deployed sophisticated backdoors and webshells to maintain persistence and harvest credentials. MITRE’s security team detected suspicious activity on NERVE, initiated an investigation, and severed all known threat actor access. Forensic analysis involving internal experts and third-party Digital Forensics Incident Response teams confirmed the compromise was limited to NERVE, with no evidence of spread to MITRE’s core enterprise network or partner systems. The investigation remains ongoing to determine the full scope of potentially affected information.
Upon detection, MITRE immediately isolated affected systems and took NERVE offline, requiring shutdown of access infrastructure and isolation of edge systems across diverse laboratories due to the network’s enterprise-wide lab connectivity. An accurate network inventory proved critical for timely containment. The company’s Board of Trustees established an ad-hoc governance committee, while the CTO coordinated response efforts across CIO, CISO, business units, legal, and communications teams. Forensic analysis prioritized trusted log aggregation to map adversary techniques and confirm attack boundaries. MITRE provisioned alternative compute, storage, and networking resources for projects, conducting security audits before migrating high-priority projects to new environments with under two weeks of downtime. The organization maintained transparent communication with employees, customers, law enforcement, and the public, citing its public-interest mission as justification for disclosure. Enhanced monitoring included rapid deployment of new sensor suites and integration of indicators of compromise from partners and law enforcement to augment threat hunting across other networks. Restoration of operational alternatives for collaboration proceeded alongside continued forensic investigation.