The Russia-linked hackers behind a devastating breach of US government and commercial networks gave themselves top administrative privileges, allowing them to spy on their targets with impunity, according to a US government bulletin.
The advisory published Friday by the Department of Homeland Security represents the agency’s most detailed explanation yet of how the attackers were able to monitor high-value intelligence targets undetected for months.
It also reveals that investigators are increasingly focused on the attackers’ use of Microsoft products to hide in plain sight.
The alert does not address what data the hackers may have accessed or the scope of the breach, and is limited to a description of the attack patterns themselves. A joint statement on Tuesday by intelligence officials said “fewer than ten agencies” appear to have been specifically targeted for spying.
Since then, however, the federal judiciary has said it is investigating a possible compromise of its electronic case management system, and the Justice Department acknowledged that up to 3 percent of its Microsoft email accounts had been potentially accessed.
Cybersecurity experts and US officials have said for weeks that the attackers likely abused credentials and impersonated legitimate users to conduct their spying campaign.
Now DHS’s Cybersecurity and Infrastructure Security Agency has confirmed that happened, describing step-by-step how the attackers hid their tracks.
First, the attackers gained initial access to a victim by taking advantage of the previously disclosed SolarWinds vulnerability or through other methods, such as password guessing, that CISA said it is still investigating.
Next, the attackers sought to impersonate one or more real users in order to access an organization’s cloud services and identity management provider, such as Microsoft 365 or Azure Active Directory
Security experts have described services like Azure Active Directory as holding “the keys to the kingdom” because for many enterprises, it is the software used to create and manage network accounts, passwords and privileges.
Once the attackers had gained access to the organization’s identity provider, they were able to set up permissions for themselves to surreptitiously access other programs and applications, CISA said.
Attacks on a platform like Active Directory can be extremely powerful, said Robert M. Lee, CEO of the cybersecurity firm Dragos.
“It’s a system that connects up every other system,” he said in a recent interview.
Cedric Leighton, a former NSA official and CNN military analyst, said the report demonstrates the sophistication of the attackers.
“This is the latest key to understanding the SolarWinds hack,” said Leighton. “The fact that credentials were compromised – including multi-factor identity authentication systems – shows how extensive this attack actually was. Lateral movement references show that they moved through networks to compromise way more data than originally thought. In essence, this is the admission that the possible compromise of our systems goes way beyond what was originally reported. This is a very big deal.”
Zachary Cohen contributed to this story.