MITRE Data Breach: State-Backed Hackers Exploit Ivanti Zero-Days in Massive Cyberattack

MITRE Corporation, the company providing engineering and technical guidance for the United States Air Force, revealed on April 19 that it was among over 1,700 organizations compromised in January 2024 by a state-backed hacking group exploiting Ivanti VPN zero-day vulnerabilities. The attack bypassed multi-factor authentication and allowed lateral movement using hijacked administrator accounts.

MITRE detected the breach when suspicious activity was observed on its NERVE research network. In response, it took NERVE offline and launched an investigation with internal and external cybersecurity experts. The attackers used sophisticated webshells and backdoors to maintain access and harvest credentials.

Mandiant attributed the attack to APT group UNC5221, while Volexity linked it to Chinese state-sponsored actors. The vulnerabilities have been exploited since December 2023, prompting CISA to issue an emergency directive in January 2024.