Hackers have breached a government organization in the US, CISA says.

On February 16, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported that attackers surreptitiously penetrated the organization of an unspecified government agency by using an administrator account belonging to a former employee. The cybersecurity threat is the fact that the attackers gained access to the organization's network infrastructure through an administrator account held by a former employee.

CISA and the Interstate Information Sharing and Analysis Center (MS-ISAC) published a joint Cyber Security Advisory (CSA) in an effort to provide network defenders with tactics, techniques, and procedures used by attackers. Following the publication of the organization's documents on the dark web, experts evaluated the incident for the organization's response.

The attackers compromised network administrator credentials through a former employee account that was successfully used to authenticate an internal virtual private network (VPN). The attackers then performed various LDAP queries to the domain controller.

The report published by CISA states, "Logs show that the attackers first connected from an unknown virtual machine (VM) to the victim via IP addresses within the internal range of the VPN. CISA and MS-ISAC concluded that the attackers connected to the VM through the victim's VPN in order to blend in with legitimate traffic to avoid detection."

The attackers likely obtained administrator credentials from a third-party data leak. They also gained access to a separate set of credentials residing on the SharePoint server, giving them administrator privileges both on the organization's network and in Azure Active Directory. The report provides a lot of interesting details about the attackers' actions and offers countermeasures in line with the cybersecurity goals set by CISA and the National Institute of Standards and Technology, which are recommended for all critical infrastructure and network defenders. CISA was unable to identify the specific attackers to which the attack relates.