Data from a Federal agency has been stolen in a cyber theft, according to an analysis report released Sept. 24 by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). The specific agency, timeframe of the intrusion, and thief are not identified in the report.
“CISA became aware—via EINSTEIN, CISA’s intrusion detection system that monitors Federal civilian networks as part of the National Cybersecurity Protection System (NCPS)—of a potential compromise of a Federal agency’s network,” said a CISA spokesperson, in an email to MeriTalk. “In coordination with the affected agency, CISA conducted an incident response engagement, confirming malicious activity.”
“The cyber threat actor had valid access credentials for multiple users’ Microsoft Office 365 (O365) accounts and domain administrator accounts, which they leveraged for Initial Access to the agency’s network,” the report said. “CISA analysts were not able to determine how the cyber threat actor initially obtained the credentials.”
Once the cyber actor gained access, they logged onto the agency O365 email account and downloaded “help desk email attachments with ‘Intranet access’ and ‘VPN [virtual private network] passwords’ in the subject line, despite already having privileged access,” the report said.
The cyber actor created a local account and used the account to take actions, including:
- “Brows[ing] directories on a victim file server;”
- “Copy[ing] a file from a user’s home directory to their locally mounted remote share;”
- “Exfiltrat[ing] data from an account directory and file server directory using tsclient (tsclient is a Microsoft Windows Terminal Services client);” and
- “Creat[ing] two compressed Zip files with several files and directories on them.”
CISA said it is “likely” the cyber actor “exfiltrated” or stole these Zip files, but CISA could not confirm the exfiltration of the Zip files because the actor “masked their activity.”
The report comes one week after CISA and the FBI released a joint advisory about a cyber actor exploiting VPN vulnerabilities.
“This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence,” the advisory said.
The CISA report said organizations should “monitor network traffic for unusual activity,” including unusual open ports, large outbound files, and unapproved and unexpected protocols.
The report recommends several steps to protect against the malicious activity detailed. These steps include deploying an enterprise firewall, blocking unused ports, and implementing multi-factor authentication, especially for accounts that are privileged.