MITRE revealed on Friday that one of its R&D networks was hacked a few months ago by a foreign state-sponsored threat actor leveraging zero-day vulnerabilities in an Ivanti product.

The attack occurred in early January, but it was only discovered this month. It targeted MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified collaborative network that is used for research, development, and prototyping.

Following the discovery of the breach, MITRE took the NERVE environment offline and launched an investigation. The organization determined that the attack involved exploitation of two Ivanti Connect Secure VPN device vulnerabilities for initial access.

The vulnerabilities, tracked as CVE-2023-46805 and CVE-2024-21887, were zero-days at the time of the attack. They came to light on January 10, when cybersecurity firm Volexity warned that they had been exploited by hackers backed by the Chinese government to compromise Ivanti VPN devices.

Ivanti immediately provided mitigations, but it took the company nearly three weeks to start releasing proper patches. 

Widespread exploitation of the Ivanti flaws started roughly a week after they came to light. Considering that MITRE was targeted before the zero-days were disclosed, the organization may have been targeted by the Chinese threat actors, but it has not shared any attribution details beyond saying that it was a foreign nation-state threat actor.

Google Cloud’s Mandiant is aware of several China-linked threat actors that have exploited the Ivanti VPN vulnerabilities in their attacks. 

MITRE said the attackers performed reconnaissance, exploited the Ivanti zero-days, and bypassed its multi-factor authentication system using session hijacking. 

“From there, they moved laterally and dug deep into our network’s VMware infrastructure using a compromised administrator account,” MITRE explained. “They employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials.”

MITRE’s investigation is ongoing, but at this point there is no evidence that its core enterprise network or partners’ systems are impacted by the incident. 

MITRE is a not-for-profit company operating federally funded R&D centers on behalf of U.S. government sponsors. The company is widely known in the cybersecurity for its ATT&CK knowledge base of adversary tactics and techniques based on real-world cyberattack observations.

MITRE has shared information on the observed ATT&CK techniques, as well as best practice tips for detecting such attacks, and recommendations for hardening networks. 

CVE-2023-46805 and CVE-2024-21887 have also been used to hack into systems belonging to the cybersecurity agency CISA, which revealed earlier this month that the incident could affect 100,000 individuals. 

Late last month MITRE opened a new AI Assurance and Discovery Lab for discovering and managing risks in AI-enabled systems.