Chinese hackers deployed backdoor quintet to down MITRE

2 Min Read
Chinese hackers deployed backdoor quintet to down MITRE

China-linked hackers deployed a roster of different backdoors and Web shells in the process of compromising the MITRE Corporation late last year.

Last month news broke that MITRE, best known for its Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework, was breached through Ivanti Connect Secure zero-day vulnerabilities. The hackers accessed its Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified research and development network.

On May 3, MITRE filled in some more details about five unique payloads deployed as part of an attack that lasted from New Year’s Eve all the way through mid-March.

The Payloads used Against MITRE

As a present for New Year’s 2023, MITRE’s attackers infected it with the “Rootrot” web shell. Rootrot is designed to embed itself into a legitimate Ivanti Connect Secure TCC file, and it enabled them to perform reconnaissance and lateral movement within the NERVE environment.

The tool was designed by the Chinese advanced persistent threat (APT) UNC5221, the same group responsible for the initial wave of reported Ivanti-based attacks. Dark Reading previously attributed MITRE’s breach to UNC5221, but retracted that detail at MITRE’s request.

After gaining initial access and poking around a bit, the attackers used their compromised Ivanti appliance to connect with and then take control inside of NERVE’s virtual environment. Then they infected a number of virtual machines (VMs) with a variety of payloads.

To read the complete article, visit Dark Reading.

Subscribe to receive Urgent Communications Newsletters
Catch up on the latest tech, media, and telecoms news from across the critical communications community