A cyberattacker used “sophisticated” malware to compromise an unidentified federal agency’s network and steal data, according to a Cybersecurity and Infrastructure Security Agency report released Thursday.
The attacker used compromised credentials to implant malware that evaded the agency’s security software and gained persistent access by exploiting firewall weaknesses.
“The cyber threat actor had valid access credentials for multiple users’ Microsoft Office 365 accounts and domain administrator accounts, which they leveraged for initial access to the agency’s network,” reads the report.
CISA analysts couldn’t determine how the cyber attacker obtained the credentials, only that they connected multiple times to the agency’s virtual private network and created a local account to collect and exfiltrate data from SharePoint, emails and other locations. Exactly what information was stolen and how much was not made immediately available.
Analysts shared five IP addresses involved in the attack and warned other agencies to monitor network traffic for unusual open ports, large outbound files, and unexpected and unapproved protocols — particularly ones leading to the internet.
Additionally, CISA recommended agencies deploy an enterprise firewall or work with their internet service provider to ensure its firewall is properly configured, as well as block unused ports.