The MITRE Corporation, a non-profit overseeing federally funded research, was breached by nation-state hackers in January through two zero-day vulnerabilities in products from IT vendor Ivanti.

The company explained in a blog post on Friday that unidentified threat actors performed reconnaissance on its networks by exploiting one of its VPNs through two vulnerabilities in Ivanti Connect Secure.

At the time, Ivanti said the two vulnerabilities — CVE-2023-46805 and CVE-2024-21887 — were used in attacks on at least 10 of its customers. 

MITRE CTO Charles Clancy said in a statement that the company discovered last week that its unclassified collaborative research and development network — where prototyping and other work is housed — was compromised by a foreign nation-state threat actor. MITRE’s work supports a variety of government agencies. 

The affected network “provides storage, computing, and networking resources.” The organization said there is “no indication that MITRE’s core enterprise network or partners’ systems were affected by this incident.”

“They compromised an Ivanti Connect Secure appliance on the network perimeter in early January, and moved laterally into our VMware infrastructure before the zero-day CVE was disclosed and reported,”  Clancy said. The organization “quickly closed the front door” after advisories from Ivanti and the Cybersecurity and Infrastructure Security Agency (CISA), “but the back door was already open.”

In the blog post, MITRE explained that the hackers used the Ivanti vulnerabilities to move laterally by taking over a compromised administrator account. They used a “combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials.” 

The organization said it followed advice from the government and Ivanti to “upgrade, replace, and harden our Ivanti system, but we did not detect the lateral movement into our VMware infrastructure.” 

“At the time we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient,” they said. 

The organization’s investigation into the incident is ongoing but they felt it was important to disclose the incident as an example of how even the most cyber mature organizations can be breached by sophisticated threat actors. 

MITRE said it would dive deeper into the technical details of the attack in another update in the coming weeks but provided a list of recommendations for organizations based on their experience. 

In a Google incident response blog centered around the two vulnerabilities, the company outlined an anonymous incident where the hackers used the Ivanti bugs to move laterally into a VMware vCenter server. MITRE shared the Google blog in its document but did not respond to questions about whether that incident was the same as the one they outlined. 

While MITRE did not say who was behind the incident, the company that initially discovered the Ivanti vulnerabilities attributed the exploitation to a Chinese nation-state-level threat actor. 

Ivanti products have become a prime avenue for hackers to infiltrate several governments and leading organizations — including even the U.S. Cybersecurity and Infrastructure Security Agency (CISA).