The notice released by the Department of Homeland Security on Friday represents the agency’s most detailed explanation to date of how attackers were able to monitor high-value intelligence targets undetected for months.
It also reveals that investigators are increasingly focusing on attackers’ use of Microsoft products to hide in plain sight.
The alert does not address the data the attackers may have accessed or the extent of the breach, and is limited to a description of the attack patterns themselves. A joint statement released Tuesday by intelligence officials said “less than ten agencies” appear to have been specifically targeted for espionage.
Since then, however, federal justice has said it is investigating a possible compromise of its electronic case management system, and the Justice Department has acknowledged that up to 3% of its Microsoft email accounts have potentially been compromised. consulted.
DHS’s Cybersecurity and Infrastructure Security Agency has now confirmed this, describing step-by-step how the attackers hid their tracks.
First, attackers gained initial access to a victim by taking advantage of the previously disclosed SolarWinds vulnerability or by other methods, such as password guessing, which CISA said it was still investigating.
Next, the attackers sought to impersonate one or more real users in order to gain access to an organization’s cloud services and identity management provider, such as Microsoft 365 or Azure Active Directory.
Security experts have described services like Azure Active Directory as holding “the keys to the realm” because for many companies, it is the software used to create and manage network accounts, passwords, and privileges.
Once the attackers gained access to the organization’s identity provider, they were able to configure permissions for themselves to surreptitiously access other programs and applications, CISA said.
Attacks against a platform like Active Directory can be extremely powerful, said Robert M. Lee, CEO of cybersecurity firm Dragos.
“It’s a system that ties all other systems together,” he said in a recent interview.
Cedric Leighton, former NSA official and CNN military analyst, said the report demonstrated the sophistication of the attackers.
“This is the final key to understanding the SolarWinds hack,” Leighton said. “The fact that credentials were compromised – including multi-factor identity authentication systems – shows just how widespread this attack really was. References to lateral movements show that they moved through networks to compromise much more data than initially thought. admit that the possible compromise of our systems goes far beyond what was initially reported.
Zachary Cohen contributed to this story.