It also reveals that investigators are increasingly focused on the attackers’ use of Microsoft products to hide in plain sight.
Cybersecurity experts and US officials have said for weeks that the attackers likely abused credentials and impersonated legitimate users to conduct their spying campaign.
Now DHS’s Cybersecurity and Infrastructure Security Agency has confirmed that happened, describing step-by-step how the attackers hid their tracks.
First, the attackers gained initial access to a victim by taking advantage of the previously disclosed SolarWinds vulnerability or through other methods, such as password guessing, that CISA said it is still investigating.
Next, the attackers sought to impersonate one or more real users in order to access an organization’s cloud services and identity management provider, such as Microsoft 365 or Azure Active Directory
Security experts have described services like Azure Active Directory as holding “the keys to the kingdom” because for many enterprises, it is the software used to create and manage network accounts, passwords and privileges.
Once the attackers had gained access to the organization’s identity provider, they were able to set up permissions for themselves to surreptitiously access other programs and applications, CISA said.
Attacks on a platform like Active Directory can be extremely powerful, said Robert M. Lee, CEO of the cybersecurity firm Dragos.
“It’s a system that connects up every other system,” he said in a recent interview.
Cedric Leighton, a former NSA official and CNN military analyst, said the report demonstrates the sophistication of the attackers.
“This is the latest key to understanding the SolarWinds hack,” said Leighton. “The fact that credentials were compromised — including multi-factor identity authentication systems — shows how extensive this attack actually was. Lateral movement references show that they moved through networks to compromise way more data than originally thought. In essence, this is the admission that the possible compromise of our systems goes way beyond what was originally reported. This is a very big deal.”
Zachary Cohen contributed to this story.