Mitre breached by nation-state threat actor via Ivanti flaws

Mitre on Friday said it suffered a data breach at the hands of a "foreign nation-state threat actor" that exploited two Ivanti zero-day vulnerabilities earlier this year.

Mitre is a not-for-profit research and development firm focused on several sectors including aerospace, AI, defense and others. On the cybersecurity front, the company manages the CVE system and has developed a number of industry-standard security frameworks such as ATT&CK.

On April 19, Mitre disclosed a breach via a press release on its website and a blog post on Medium. In the press release, the firm said it confirmed a compromise after detecting suspicious activity in its collaborative research and development network NERVE, short for Networked Experimentation, Research, and Virtualization Environment.

"Following detection of the incident, MITRE took prompt action to contain the incident, including taking the NERVE environment offline, and quickly launched an investigation with the support of in-house and leading third-party experts. The investigation is ongoing, including to determine the scope of information that may be involved," the press release read.

Mitre president and CEO Jason Providakes said in a quote shared alongside the press release that the company decided to disclose the incident in a timely manner "because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well necessary measures to improve the industry's current cyber defense posture."

According to the Medium post authored by Mitre principal cybersecurity engineer Lex Crumpton and CTO Charles Clancy, threat actors gained access beginning in January via two Ivanti Connect Secure zero-day vulnerabilities -- an authentication bypass flaw, tracked as CVE-2023-46805, and a command injection vulnerability, tracked as CVE-2024-21887. The vulnerabilities came under widespread exploited earlier this year and hundreds of organizations were compromised as a result, including CISA.

"Starting in January 2024, a threat actor performed reconnaissance of our networks, exploited one of our Virtual Private Networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities, and skirted past our multi-factor authentication using session hijacking," the post read. "From there, they moved laterally and dug deep into our network's VMware infrastructure using a compromised administrator account. They employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials."

Crumpton and Clancy said the company responded to initial disclosures of the Ivanti Connect Secure vulnerabilities in January.

"MITRE followed best practices, vendor instructions, and the government's advice to upgrade, replace, and harden our Ivanti system, but we did not detect the lateral movement into our VMware infrastructure," the authors wrote. "At the time we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient."

TechTarget Editorial reached out to Ivanti for comment.

Although Mitre did not name the specific threat actor behind the attack, Clancy referenced "a sophisticated nation state threat actor" in a video message attached to the press release. In it, he said the threat actor responsible compromised "over 1,700 organizations," including Mitre.

This suggests that the threat actor was China-nexus actor UNC5221, a nation-state adversary detailed in Mandiant research published in January. TechTarget Editorial asked for clarification on this point, but a Mitre spokesperson declined to provide additional detail.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.