SolarWinds hackers have given themselves the best administrative privileges to spy on victims unseen, says DHS

The advice, published by the Department of Homeland Security on Friday, represents the agency’s most detailed account to date of how the attackers were able to monitor high-value intelligence targets for months.

The warning does not deal with the data obtained by the hackers or the extent of the offense, and is limited to a description of the attack patterns themselves. In a joint statement Tuesday by intelligence officials, it appears that less than ten agencies were specifically targeted for espionage.

Since then, however, the federal judiciary has said it is investigating a possible compromise of its electronic case management system, and the Department of Justice has acknowledged that up to three percent of its Microsoft email accounts may have been obtained.

Cyber ​​security experts and U.S. officials have been saying for weeks that the attackers likely misused credentials and imitated legitimate users to carry out their espionage campaigns.

Now, DHS’s Cybersecurity and Infrastructure Security Agency has confirmed that this has happened, and describes step-by-step how the attackers hid their tracks.

First, attackers initially gained access to a victim by exploiting the previously revealed SolarWinds vulnerability or by other methods, such as by guessing the password, which CISA said it was still investigating.

Next, the attackers tried to impersonate one or more real users to gain access to the organization’s cloud services and identity management provider, such as Microsoft 365 or Azure Active Directory.

Security experts have described services like Azure Active Directory as ‘the key to the kingdom’ because for many businesses it is the software used to create and manage network accounts, passwords and rights.

After the attackers gained access to the organization’s identity provider, they were able to set up permissions themselves to gain dormant access to other programs and applications, CISA said.

Attacks on a platform such as Active Directory can be extremely powerful, said Robert M. Lee, CEO of cybersecurity firm Dragos.

“It’s a system that connects every other system,” he said in a recent interview.

Cedric Leighton, a former NSA official and CNN military analyst, said the report shows the refinement of the attackers.

“This is the latest key to understanding the SolarWinds hack,” Leighton said. “The fact that credentials were compromised – including multi-factor identity verification systems – shows how extensive this attack actually was. Lateral movement references show that they moved through networks to compromise more data than originally thought. It is essentially “Recognizing that the possible compromise of our systems goes far beyond what was originally reported. This is a very big issue.”