He also revealed that investigators are increasingly focused on using attackers on Microsoft products to hide from sight.
Cybersecurity experts and U.S. officials have been claiming for weeks that the attackers may have abused their credentials and pretended to be legitimate users in order to conduct their spy campaign.
Now the DHS Cyber Security and Infrastructure Security Agency has confirmed that this happened, describing step by step how the attackers hid their tracks.
First, the attackers gained initial access to the victim by taking advantage of a previously discovered vulnerability in SolarWinds or by other methods, such as knowing the password, which CISA said it was still investigating.
Attackers then attempted to impersonate one or more real users to access cloud services and an identity management service provider such as Microsoft 365 or Azure Active Directory.
Security experts have described services such as Azure Active Directory as having the “keys to the kingdom”, as for many businesses it is the software used to create and manage network accounts, passwords and privileges.
After the attackers gained access to the organization’s identity provider, they were able to create permissions for secret access to other programs and applications, CISA said.
Attacks on a platform such as Active Directory can be extremely powerful, said Robert M. Lee, CEO of cybersecurity company Dragos.
“It’s a system that connects any other system,” he said in a recent interview.
Cedric Leighton, a former NSA employee and CNN military analyst, said the report demonstrated the sophistication of the attackers.
“This is the latest key to understanding SolarWinds hacking,” Leighton said. “The fact that the credentials were compromised – including multi-factor authentication systems – shows how widespread this attack was. Side-by-side references show that they traveled through networks to compromise more data than originally thought. “In essence, this is a recognition that the possible compromise of our systems goes beyond what was initially reported. This is a very big deal.”
Zachary Cohen contributed to this story.