The report, which ZDNet analyzed today, reveals how the intruder gained access to the federal agency's internal networks through different channels, such as leveraging compromised credentials for Microsoft Office 365 (O365) accounts, domain administrator accounts, and credentials for the agency's Pulse Secure VPN server.
CISA said the attacker logged into Office 365 accounts to view and download help desk email attachments with "Intranet access" and "VPN passwords" in the subject line. Attackers searched for these files despite already having privileged access to the agency's network, and most likely in an attempt to find additional parts of the network they could attack.
The attacker also accessed the local Active Directory, where they modified settings and studied the structure of the agency's internal network.
To have a quick way back into the federal agency's network, the hackers installed an SSH tunnel and reverse SOCKS proxy, custom malware, and connected a hard drive they controlled to the agency's network as a locally mounted remote share.
"The mounted file share allowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis," CISA analysts said.
Furthermore, the attacker also created their own local account on the network. By analyzing forensic evidence, CISA said the hacker used this account to browse the local network, run PowerShell commands, and gather important files into ZIP archives. CISA said that it couldn't confirm if the attacker exfiltrated the ZIP archives, but this is what most likely happened in the end.
In addition, CISA said the malware the hackers installed on the federal agency's network "was able to overcome the agency's anti-malware protection, and inetinfo.exe [the malware] escaped quarantine."
Nonetheless, investigators said they detected the intrusion via EINSTEIN, CISA's intrusion detection system that monitors federal civilian networks from a vantage point and was able to compensate for the attacker bypassing local anti-malware solutions.