Mitre Corporation, a non-profit organization that operates federally funded research and development centers (FFRDCs) on behalf of the US government, has revealed a major breach in its Networked Experimentation, Research, and Virtualization Environment (NERVE), a collaborative network vital for the organization’s research and development activities.
“We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well as necessary measures to improve the industry’s current cyber defense posture. The threats and cyber attacks are becoming more sophisticated and require increased vigilance and defense approaches. As we have previously, we will share our learnings from this experience to help others and evolve our own practices,” said Jason Providakes, president and CEO, MITRE.
Highlighting the relentless nature of cyberthreats, in the same breath, Jason warned that “No organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible.”
The breach, detected in early April 2024, has been attributed to a foreign nation-state threat actor. Cybersecurity major Checkpoint defines a nation-state cyberattack as an attack carried out by a state-sponsored actor against another government or some other individual or organization.
According to the non-profit, the breach occurred in January 2024 when the nation-state threat actor conducted a reconnaissance of MITRE’s networks by exploiting one of its VPNs through two Ivanti Connect Secure zero-day vulnerabilities, MITRE said in a separate blog.
The threat actor managed to breach MITRE’s multifactor authentication protocols gaining access to the company’s NERVE network. “From there, they moved laterally and dug deep into our network’s VMware infrastructure using a compromised administrator account. They employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials,” the blog added.
MITRE defines NERVE as “an unclassified collaborative network that provides storage, computing, and networking resources.”
However, the company’s CEO Providakes clarified that “there is no indication that MITRE’s core enterprise network or partners’ systems were affected by this incident.”
Upon detection of the breach, the company said it took swift and comprehensive action including “taking the NERVE environment offline” and launched an investigation taking the help of in-house and third-party experts. “MITRE followed best practices, vendor instructions, and the government’s advice to upgrade, replace, and harden our Ivanti system, but we did not detect the lateral movement into our VMware infrastructure. At the time we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient,” the company added in the blog post.
“We quickly closed the front door after the Ivanti and CISA advisories, but the back door was already open,” MITRE’s CTO Charles Clancy said in a LinkedIn post.
Rising menace of nation-state cyberattacks
In recent times, there has been a surge in foreign nation-state cyberattacks across the globe. Such attacks, as BAE Systems put it, have a “license to hack.” “They work for a government to disrupt or compromise target governments, organizations or individuals to gain access to valuable data or intelligence, and can create incidents that have international significance,” the company said.
According to the US Cybersecurity, and Infrastructure Security Agency (CISA), “sophisticated cyber actors and nation-states exploit vulnerabilities to steal information and money and are developing capabilities to disrupt, destroy, or threaten the delivery of essential services.”
There have been more than 20 large-scale cyberattacks this year alone on various countries which can fall under nation-state cyberattacks, according to the Center for Strategic & International Studies (CSIS).
In March 2024, Iranian hackers breached an IT network connected to an Israeli nuclear facility and leaked sensitive facility documents. In the same month, a US Department of Justice indictment mentioned that Chinese hackers attacked several EU members of the Inter-Parliamentary Alliance on China and Italian MPs, the CSIS said in its report.
In the same report, CSIS also mentioned that Switzerland’s National Cybersecurity Center (NCSC), in March 2024, confirmed that data from more than 65,000 documents of the Federal Administration were leaked in May 2023.