Officials with Mandiant, an Alexandria, Va.-based network security firm, said in a blog post Friday that a hacker or hackers leveraged the Heartbleed bug to break into an employee’s virtual private network, or VPN.

“Once connected to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization,” Mandiant said.