Unidentified agency’s network breached with ‘sophisticated’ malware

Data was stolen from SharePoint, emails and other locations before CISA's EINSTEIN flagged a potential compromise.

A cyberattacker used “sophisticated” malware to compromise an unidentified federal agency’s network and steal data, according to a Cybersecurity and Infrastructure Security Agency report released Thursday.

CISA‘s EINSTEIN intrusion detection system flagged a potential breach, which its incident response team confirmed with help from the target agency.

The attacker used compromised credentials to implant malware that evaded the agency’s security software and gained persistent access by exploiting firewall weaknesses.

“The cyber threat actor had valid access credentials for multiple users’ Microsoft Office 365 accounts and domain administrator accounts, which they leveraged for initial access to the agency’s network,” reads the report.


CISA analysts couldn’t determine how the cyber attacker obtained the credentials, only that they connected multiple times to the agency’s virtual private network and created a local account to collect and exfiltrate data from SharePoint, emails and other locations. Exactly what information was stolen and how much was not made immediately available.

Analysts shared five IP addresses involved in the attack and warned other agencies to monitor network traffic for unusual open ports, large outbound files, and unexpected and unapproved protocols — particularly ones leading to the internet.

Additionally, CISA recommended agencies deploy an enterprise firewall or work with their internet service provider to ensure its firewall is properly configured, as well as block unused ports.

Dave Nyczepir

Written by Dave Nyczepir

Dave Nyczepir is a technology reporter for FedScoop. He was previously the news editor for Route Fifty and, before that, the education reporter for The Desert Sun newspaper in Palm Springs, California. He covered the 2012 campaign cycle as the staff writer for Campaigns & Elections magazine and Maryland’s 2012 legislative session as the politics reporter for Capital News Service at the University of Maryland, College Park, where he earned his master’s of journalism.

Latest Podcasts