MITRE cyber attack saw threat actors exploit Ivanti Connect Secure zero-days

Cyber security concept image showing digitized padlock sitting on a computer circuit board.
(Image credit: Getty Images)

Non-profit security organization MITRE has revealed it suffered a data breach believed to have been conducted by nation state-backed threat actors. 

Earlier this month, it detected suspicious activity on its Networked Experimentation, Research, and Virtualization Environment (NERVE), a collaborative network used for research, development, and prototyping.

MITRE said it's taken prompt action to contain the incident, including taking the NERVE environment offline, and has launched an investigation with the support of in-house and leading third-party experts.

"No organization is immune from this type of cyber attack, not even one that strives to maintain the highest cyber security possible," said Jason Providakes, president and CEO of MITRE.

"We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well as necessary measures to improve the industry’s current cyber defense posture."

Analysis of the incident shows that, in January this year, a threat actor carried out reconnaissance of MITRE’s networks, exploiting one of its Virtual Private Networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities and dodging multi-factor authentication (MFA) using session hijacking.

From there, the attackers were able to move laterally into the network’s VMware infrastructure using a compromised administrator account. They employed a combination of sophisticated backdoors and web shells to maintain persistence and harvest credentials.

MITRE said that, based on its investigation to date, there is no indication its core enterprise network or partners’ systems have been affected by the incident.


The non-profit isolated affected systems and segments of the network, set up an ad-hoc committee to provide governance and oversight, and carried out forensic analysis to identify the extent of the compromise, the techniques used, and whether the attack was limited to the research and prototyping network.

Moving forward, MITRE said it plans to carry out a large-scale review, including vulnerability assessments and penetration testing to identify and address potential weaknesses.

Training will be ramped up, and new security measures will be brought in based on lessons learned from the incident.

"The threats and cyber attacks are becoming more sophisticated and require increased vigilance and defense approaches," Providakes said. "As we have previously, we will share our learnings from this experience to help others and evolve our own practices."

It's the first time in fifteen years that MITRE has been hacked, but is nonetheless a concerning incident for the non-profit, according to Matt Aldridge, principal solutions consultant at OpenText Cybersecurity.

"The attack on security organization MITRE is a stark reminder of the pervasive threat landscape we navigate daily," he said.

"MITRE's recognition of the breach demonstrates both the need for enhanced vigilance across all sectors and the benefits of transparent incident disclosure. It has further demonstrated why cyber security has to be an immediate priority and a cornerstone of risk mitigation and prevention strategies for any business."

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.