The MITRE Corporation, a not-for-profit organization that operates research and development centers for the U.S. government, has disclosed that sophisticated nation-state hackers recently compromised one of its internal research and development networks.
The intrusion, believed to have been carried out by a Chinese threat actor group known as UNC5221, exploited two zero-day vulnerabilities in Ivanti Connect Secure VPN appliances to gain initial access.
According to MITRE’s technical deep dive into the incident, the attackers first conducted reconnaissance to identify the vulnerable Ivanti appliances.
They then exploited CVE-2023-46805 and CVE-2024-21887, two critical flaws allowing authentication bypass and arbitrary command execution, to breach MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE) network.
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
- Real-time Detection
- Interactive Malware Analysis
- Easy to Learn by New Security Team members
- Get detailed reports with maximum data
- Set Up Virtual Machine in Linux & all Windows OS Versions
- Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
After establishing a foothold, the hackers moved laterally within the VMware environment, capturing at least one administrator account in the process.
They installed webshells and backdoors to maintain persistent access and exfiltrated an undisclosed amount of data from the network.
MITRE’s cybersecurity team detected the intrusion and promptly activated incident response protocols to contain the attack.
The organization confirmed that the NERVE network, which is used for unclassified research and prototyping, is separate from its business and public-facing networks, which remain secure and operational.
While MITRE has not named the suspected Chinese hackers, security firms like Mandiant have observed UNC5221 and other Chinese threat actors exploiting the same Ivanti zero-days in recent months, often using similar post-compromise tactics for lateral movement and data theft.
Experts warn that the breach, while limited in scope, highlights the ongoing risks faced by organizations involved in national security and advanced technology research.
On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free.
“The sophistication and nature of the attack underline ongoing risks faced by organizations involved in national security and advanced technological research,” noted Callie Guenther, Senior Manager of Cyber Threat Research at Critical Start.
MITRE is working with federal law enforcement and its sponsors to investigate the incident and identify the perpetrators.
The organization plans to share findings with the cybersecurity community to help prevent similar attacks in the future.
“No organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible,” said Jason Providakes, president and CEO of MITRE.
The incident serves as a stark reminder of the ever-present threat posed by nation-state hackers and the importance of robust cybersecurity measures, even for the most security-conscious organizations.
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide