MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved

Non-profit organization MITRE confirmed Friday that it experienced a breach that underscores the nature of modern cyber threats. After detecting suspicious activity on its Networked Experimentation, Research, and Virtualization Environment (NERVE), a collaborative network used for research, development, and prototyping, compromise by a foreign nation-state threat actor was confirmed. MITRE has contacted authorities and notified affected parties and is working to restore operational alternatives for collaboration in an expedited and secure manner.

NERVE is an unclassified collaborative network that provides storage, computing, and networking resources. Based on its investigation to date, there is no indication that MITRE’s core enterprise network or partners’ systems were affected by this incident. Following the detection of the breach on the NERVE network, MITRE took prompt action to contain the incident, including taking the NERVE environment offline, and quickly launched an investigation with the support of in-house and leading third-party experts. The investigation is ongoing, including to determine the scope of information that may be involved. 

“No organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible,” Jason Providakes, president and CEO of MITRE, said in a media statement. “We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well as necessary measures to improve the industry’s current cyber defense posture.” 

Providakes added that the threats and cyber attacks are becoming more sophisticated and require increased vigilance and defense approaches. “As we have previously, we will share our learnings from this experience to help others and evolve our own practices.”

Charles Clancy, chief technology officer of MITRE, detailed that in January this past year, over 1700 organizations were compromised by a sophisticated nation-state threat actor. “This threat actor compromised the Ivanti Connect Secure appliance that’s used to provide connectivity into some of our most trusted networks. MITRE was one of those compromised. In the interest of transparency and public interest, we really want to share our experiences, so others can learn from it.”

“We took all the recommended actions from the vendor, from the U.S. government, but they were clearly not enough. As a result, we are issuing a call to action to the industry,” Clancy added. “The threat has gotten more sophisticated, and so too must our solutions to combat that threat.”

“First, we need to advance secure by design principles. Hardware and software need to be secure right out of the box,” Clancy identified. “Second, we need to operationalize secure supply chains by taking advantage of the software bill of materials ecosystem to understand the threats in our upstream software systems. Third, we should deploy zero trust architectures, not just multi-factor authentication, but also micro-segmentation of our networks. Fourth, we need to adopt adversary engagement as a routine part of cyber defense. It can provide not only detection but also deterrence to our adversaries. Adversaries are advancing new threats and new techniques,” he added.

In a Medium post, Lex Crumpton and Clancy revealed that “MITRE’s security team immediately began an investigation, cut off all known access to the threat actor, and brought in third-party Digital Forensics Incident Response teams to perform their independent analyses alongside our in-house experts.”

The executives disclosed “a threat actor performed reconnaissance of our networks, exploited one of our Virtual Private Networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities, and skirted past our multi-factor authentication using session hijacking. From there, they moved laterally and dug deep into our network’s VMware infrastructure using a compromised administrator account. They employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials.”

They added that MITRE followed best practices, vendor instructions, and the government’s advice “to upgrade, replace, and harden our Ivanti system, but we did not detect the lateral movement into our VMware infrastructure. At the time, we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient.”

However, the post noted that upon detecting the breach on the NERVE network, MITRE’s incident response team initiated a coordinated response plan. They “isolated affected systems and segments of the network to prevent further spread of the attack. Simply changing edge firewall rules was insufficient as this network had connectivity to labs across the enterprise, and effective containment required shutting down access infrastructure and isolating edge systems in a diverse set of laboratories. An accurate network inventory was critical to doing this in a timely way.”

“Effective response and recovery require an aligned board and management team. MITRE’s board of trustees chartered an ad-hoc committee to provide governance and oversight,” the Medium post disclosed. “Our CTO led the overall company-wide response, balancing and coordinating across the CIO and CISO on incident response, business unit leadership on customer engagement and project recovery and continuity, and enterprise communications and general counsel teams.”

MITRE launched multiple streams of forensic analysis to identify the extent of the compromise, the techniques employed by the adversaries, and whether the attack was limited to the research and prototyping network or had spread further. “While this process is still underway, and we have a lot more to uncover about how the adversary interacted with our systems, trusted log aggregation was perhaps the most important component to enabling our forensic investigation,” the post added.

“With the compromised system contained for the forensic analysis, we needed new compute, storage, and networking resources for projects to use instead,” according to the MITRE executives. “We quickly identified alternative platforms, conducted a thorough security audit of each, and established a procedure for projects to migrate to new systems. The highest-priority projects will be back online in clean environments with fewer than two weeks of downtime.”

It is critical to maintain transparent communication with stakeholders, including affected employees, customers, law enforcement, and ultimately the public, the Medium post added. “With an investigation underway, finding the right balance about what to share and when can be challenging. We’re making the decision to inform the public because we work in the public interest, and the more we collectively understand and can combat this threat the better we will all be.”

The forensic investigation following the breach on the NERVE network necessitated the rapid deployment of new sensor suites to collect information from affected systems, many of which can help improve our monitoring in an enduring way. “We also were able to leverage indicators of compromise from the compromised system and from partners and law enforcement to augment threat hunting efforts across other parts of our network,” the post added.

While MITRE’s initial response efforts to the breach on the NERVE network helped mitigate the immediate impact of the cyber-attack, we recognize the ongoing need for vigilance and adaptation. Moving forward, MITRE is committed to conducting a comprehensive review of its cybersecurity posture, including vulnerability assessments and penetration testing, to identify and address potential weaknesses. It will also work on enhancing employee training and awareness programs to reinforce the importance of cybersecurity best practices and threat awareness and implementing additional security measures based on lessons learned from the incident.

On Thursday, MITRE outlined that its ATT&CK 2024 goals are to bolster broader usability and enhance actionable defensive measures for practitioners across every domain. This includes exploring scope adjustments and platform rebalancing and implementing structural modifications with the introduction of ICS (industrial control system) sub-techniques by October. A core focus will be reinforcing defensive mechanisms and optimizing their user-friendliness.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.