US Government Network Breached: Ex-Employee Account Exploited

The United States Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Multi-State Information Sharing and Analysis Center (MS-ISAC), established that unidentified malefactors accessed one of the U.S. government’s internal networks via an administrator account previously belonging to a former employee.

It is surmised that the malefactors procured the credentials following a separate data breach incident, as these details were later discovered in publicly accessible channels containing leaked information.

Utilizing the administrator account, which had access to a virtual SharePoint server, the attackers gained access to another set of credentials with administrative privileges, both in the local network and in Azure Active Directory (now known as Microsoft Entra ID). This enabled the hackers to explore the local environment of the victim and execute various queries to the domain controller.

To date, the identities of the perpetrators remain undisclosed. A thorough investigation has not revealed evidence that the attackers transitioned from the local environment to the Azure cloud infrastructure. However, they accessed information about hosts and users, subsequently publishing these details on the dark web, likely for financial gain.

As a result, the affected government organization took measures: resetting all user passwords, deactivating the former administrator’s account, and revoking elevated privileges for the second account.

It was noted that neither account was protected by multi-factor authentication (MFA), highlighting the necessity of robust protection for privileged accounts granting access to critical systems.

It is also recommended to apply the principle of least privilege and create separate administrator accounts for segregating access between local and cloud environments, not forgetting their deactivation or deletion when an employee departs the company.

This incident serves as a reminder that malefactors can easily exploit valid employee accounts with elevated system privileges if preemptive protection measures are not taken. Such compromises are highly detrimental to private companies and can be catastrophic for governmental structures.

Unnecessary and redundant accounts, software, and services within the target company’s network always create additional vectors for cyberattacks, and neglecting basic modern protective measures like multi-factor authentication virtually invites hackers into the target network.