A virtual private network vulnerability that has been known since December. Stolen credentials of a power user. A poorly configured firewall. It didn’t take long for the hacker to own this unnamed federal agency.
In what was a matter of days, maybe weeks, this bad actor, possibly a nation state given how sophisticated the attack was, set up two remote command-and-control points, reviewed email and other documents to look for passwords and started networking hopping to find more valuable data and information.
And now the Cybersecurity and Infrastructure Security Agency at the Homeland Security Department is laying out what happened with depth and specificity rarely seen in a public way. Without a doubt, CISA is telling other agencies, “Don’t let this happen to you.”
The use case, gently titled “Federal Agency Compromised by Malicious Cyber Actor” is a detailed example of what happens when your agency’s cyber hygiene is poor and exacerbated by the surge in remote workers.
“COVID-19 has undermined the cybersecurity of U.S. agencies. Telework and a 400% increase in attacks have allowed for intrusions. Telework places a huge strain on IT and security resources and these skeleton crews have lost both visibility and the capacity to harden these remote systems,” said Tom Kellermann, head of cybersecurity strategy for VMWare. “This attack illustrates the greater problem of over reliance on VPNs to protect these systems. The current security posture of perimeter defense is ineffective against the kill chains of 2020.”
Kellermann said while it’s hard to tell if this was a small or large agency impacted by the attack, all signs point to the hacke ..