MITRE Breach Shows Cyberattacks Can Happen to Anyone—Even the Best

Even the best prepared companies can be cyber-hacked, as seen by a recently discovered security breach at MITRE Corporation.

Despite its commitment to safeguarding its digital assets, MITRE—an American nonprofit organization that manages federally funded research and development centers promoting national security and cybersecurity, among other public goods—has experienced a cyberattack on one of its collaborative research networks. After detecting suspicious activity on the network, MITRE confirmed that it had been compromised by a malicious foreign nation-state actor. MITRE took immediate steps to isolate the compromised network, and their core operations do not appear to have been impacted.

After 15 years without a major security incident, MITRE’s systems were infiltrated starting this January. The attacker exploited a MITRE virtual private network (VPN) and managed to bypass their multifactor authentication using session hijacking—a type of attack using captured session IDs to seize control of an in-progress session, which then allows the attacker to masquerade as a legitimate user and gain access to additional data and systems. In this case, the attacker was able to access MITRE’s VMware infrastructure, maintain persistence, and harvest credentials.

“MITRE followed best practices, vendor instructions, and the government’s advice to upgrade, replace, and harden our Ivanti system, but we did not detect the lateral movement into our VMware infrastructure,” wrote MITRE researcher Lex Crumpton in a Medium/MITRE-Engenuity post sharing details of the attack. “At the time we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient.”

Having discovered the breach this past week, MITRE immediately took the affected network offline, notified all stakeholders, and launched an investigation, which is currently ongoing and includes a third-party analysis team working independently alongside MITRE’s own investigators to understand the means of attack and extent of the damage. Once the investigation has been completed, MITRE will share their learnings and additional security improvements learned from the experience.

In the meantime, MITRE offers these best practice tips for other organizations to defend their systems and data from cyberattacks, along with some additional advice from CyberNINES.

• For improving network security:
  • Require strong multifactor authentication
  • Keep systems and software up to date
  • Restrict user privileges to the least necessary
  • Keep networks segmented to limit the impact of a potential breach
  • Conduct regular security assessments
  • Keep up to date on the latest detection and mitigation techniques
  • Remove trusted elements of network architecture and implement Zero Trust access mechanisms
• For detecting breaches:
  • Monitor VPN traffic for anomalies such as connection spikes or unusual geographic locations
  • Look for deviations in user behavior such as unusual login times or accessing unfamiliar resources
  • Keep networks segmented to limit lateral movement and reveal anomalous behavior
  • Keep threat intelligence feeds updated to identify known malicious IP addresses
  • Use deception environments to decoy and trap would-be attackers and gain insight into their tactics

For more tips on identifying and preventing cyberthreats, please see these CyberNINES posts on public Wi-Fi safety, social engineering, and phishing attempts.