You’d think that major organisations would have cyber security nailed down, especially government departments. But not necessarily so. Recent revelations reveal how one US government agency had hackers in their network for months and had no idea.
However, the story about the US government agency is unusual in that ‘inept’ hackers got into the network but didn’t know what to do and they where then followed into the network by sophisticated hackers who did know what they were doing.
- The story starts with a first group of hackers breaking into the network by breaching the password of internet-facing Windows Remote Desktop Protocol (RDP) on a firewall.
- It’s a popular and common techniques to breach passwords is either brute-force attacks or phishing emails.
The hackers didn't seem to know what to do once they had access to the network. Analysis of activity logs suggested they used the servers they controlled inside the network to run Google searches to look for hacking tools, and then followed pop-up ads to pirated software downloads.
- This left the agency servers riddled with adware and the organisation didn't notice any of this was happening. Log data suggests that the attackers were regularly disappearing for days at a time before returning to look around the network, occasionally creating new accounts to gain access to other machines.
- This continued for months, with the attackers seemingly learning how to hack networks as they went along, as well as installing cryptomining malware on the compromised servers.
But after four months, the attacks suddenly became more focused and more sophisticated. Following no activity for three weeks the attackers remotely connected and installed a password-sniffing tool to gain access to additional usernames and passwords.
These attackers also looked to remove the cryptomining malware and attempted to uninstall antivirus software on endpoints. This abrupt change in both goals and skill level suggested that another attacker had entered the network and has stalked the previous attacker and undone their work in order to carry out a ransomware attack.
Ironically, it was at this point the IT department noticed something strange was happening. It took servers offline to investigate but in order to do this, also disabled some cybersecurity protections, and the attackers took advantage.
- The intruders repeatedly dumped new account credentials and created new accounts in order to continue their attacks. The logs were also wiped repeatedly, in what could have been an attempt to cover their tracks.
- The new, much more sophisticated attackers also stole a set of sensitive files as they worked towards the apparent end goal of a ransomware attack, which fully encrypted some of the machines on the network with LockBit ransomware.
The attack was eventually thwarted when the government agency brought in external help.
This isn’t unusual. Despite spending vast sums on cyber security people within large enterprises will make elementary mistakes, opening the door for hackers without realising it. And in this case it appears security was sacrificed for efficiency.
A number of simple steps could have been taken that would have deterred the attackers including:
- Applying multi-factor authentication to user accounts would have helped prevent them from being exploited and login notifications would've provided a warning that something suspicious was under way.
- Properly monitoring the network would've had indicated something was wrong when the attackers were snooping around, and certainly before another set of hackers broke in and laid the foundation for a ransomware attack.
These are fairly basic steps that even home users will be familiar with, such as using two-factor authentication of accounts, protecting Wi-Fi routers with strong passwords and being aware of what devices are logging onto the home network. Of course, a government agency network will be hugely larger than any home network but the principles are the same irrespective of size.
If there is a lesson here for home users it’s don’t trust others to protect your data. You need to protect as far as is possible, your own data with identity protection for instance.