MITRE Corporation announced that it was the target of a nation-state cyberattack. This cyberattack leveraged two zero-day flaws and compromised a network for unclassified research and prototyping called Networked Experimentation, Research, and Virtualization Environment (NERVE). 

Security leaders weigh in

Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit:

“The race to patch against vulnerabilities and de-risk is real in a world where adversaries are lying in wait to attack upon opportunity. In 2024, companies must apply due diligence at every step of the entire lifecycle of threat and vulnerability management (TVM) lifecycle, with the ability to rapidly prioritize patching, workarounds and other forms of remediation, when justified by escalating threats. The need for strong cyber threat intelligence (CTI) driven programs has never been stronger to proactively reduce risk, quickly detect and remove threats as fast as possible in the war against cyber threats. Excellence in SecOps includes lowering the impact of an incident by ensuring controls internally to identify and remove threats quickly as well as reduce the blast radius when an attack occurs.”

Darren Guccione, CEO and Co-Founder at Keeper Security:

“The impact of this cyber-attack should not be taken lightly, due to both the foreign ties of the attackers and the ability of the attackers to exploit two serious zero-day vulnerabilities in their quest to compromise MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE), which could potentially expose sensitive research data and intellectual property. 

“In the digital age, it’s clear that cyber and traditional warfare tactics will continue to converge as threat actors use cyber-attacks to both support and supplement physical attacks. Nation-state actors often have strategic motivations behind their cyber operations, and the targeting of a prominent research institution like MITRE, that works on behalf of the US government, could be just one component of a larger effort. The growing threat of cyber-attacks underscores the need for continued cybersecurity prioritization and investment, both in the public and private sectors.

“In this attack, the threat actors were able to compromise an administrator account, then move laterally within the network. Organizations large and small should implement a zero-trust architecture with least-privilege access to ensure employees only have access to what they need to do their jobs. 

“A privileged access management (PAM) platform helps organizations manage and secure privileged credentials and enforce least privilege access. PAM works by tightly monitoring access and activity in privileged accounts. If a cybercriminal is able to gain access to an organization’s networks, PAM platforms can minimize the blast radius by preventing lateral movement. Companies should also have security event monitoring in place. By adopting a zero-trust framework within their infrastructure, enterprise leaders will be in a stronger position to not only identify and react to attacks on their organization but also mitigate any potential damage.”

Callie Guenther, Senior Manager, Cyber Threat Research at Critical Start:

“The exploitation of two zero-day vulnerabilities in Ivanti Connect Secure appliances points to a high level of sophistication and resources typical of nation-state actors. The CVEs used allowed the attackers to bypass authentication and execute arbitrary commands, which are severe exploits with high CVSS scores (8.2 and 9.1, respectively). This suggests a deliberate and well-planned effort to target critical infrastructure, likely with significant intelligence or disruption goals. 

“While NERVE is described as an unclassified network that offers storage, computing and networking resources, its role in facilitating research and prototyping could mean it contains valuable data on experimental technologies or methodologies. Though it's stated as unclassified, the information it holds could still be of interest to adversaries, particularly those looking for insights into developing technologies or security defenses. While it might not be the primary network used by all security researchers at MITRE, its compromise can hinder ongoing research efforts, potentially delay projects, and necessitate significant resources to manage the breach and bolster security. The loss of trust in a key tool like NERVE could also impact collaborative efforts with other institutions or partners, especially if data integrity becomes a concern.

“The breach's reach — limited to NERVE without affecting MITRE’s core enterprise network or partners’ systems — suggests that the damage was contained. However, the sophistication and nature of the attack underline ongoing risks faced by organizations involved in national security and advanced technological research. This incident will likely lead to a reassessment of security measures, particularly around how sensitive unclassified networks are protected. MITRE’s response, including containment, recovery and forensic analysis, will be critical in mitigating immediate risks and preventing future incidents. The broader security community will be keen on learning from MITRE’s experience to understand the threat actor’s methodologies and enhance their own defensive strategies.”