Skip to main content
Currently Reading
Big Russian hack used a technique experts had warned about for years. Why wasn t the U.S. government ready?
Craig Timberg, The Washington Post
Feb. 9, 2021
FacebookTwitterEmail
WASHINGTON - The disastrous Russian hack of federal government networks last year relied on a powerful new trick: Digital spies penetrated so deeply they were able to impersonate any user they wanted. It was the computer network equivalent of sneaking into the State Department and printing perfectly forged U.S. passports.
Cybersecurity researchers had warned for years that such an attack was possible. Those from one firm, FireEye, even released hacking tools in 2019 showing exactly how to do it - in hopes the revelation would spur the widespread deployment of better defenses.
To revist this article, visit My Profile, then View saved stories.
One of the most chilling aspects of Russia s recent hacking spree which breached numerous United States government agencies among other targets was the successful use of a “supply chain attack” to gain tens of thousands of potential targets from a single compromise at the IT services firm SolarWinds. But this wasn t the only striking feature of the assault. After that initial foothold, the attackers bored deeper into their victims networks with simple and elegant strategies. Now researchers are bracing for a surge in those techniques from other attackers.
The SolarWinds hackers used their access in many cases to infiltrate their victims Microsoft 365 email services and Microsoft Azure Cloud infrastructure both treasure troves of potentially sensitive and valuable data. The challenge of preventing these types of intrusions into Microsoft 365 and Azure is that they don t depend on specific vulnerabilities that
SolarWinds Campaign Focuses Attention on Golden SAML Attack Vector
Adversaries that successfully execute attack can achieve persistent anytime, anywhere access to a victim network, security researchers say.
The recently disclosed compromise at SolarWinds and the subsequent targeting of numerous other organizations have focused attention on a dangerous Active Directory Federation Services (ADFS) bypass technique dubbed Golden SAML, which cybersecurity vendor CyberArk first warned about in 2017.
The attack gives threat actors a way to maintain persistent access to all of an enterprise s ADFS federated services. This includes hosted email services, file storage services such as SharePoint, and hosted business intelligence apps, time-card systems, and travel systems, according to a blog post from Israel-based Sygnia. The attention that the SolarWinds campaign has drawn to the attack technique significantly raises the likelihood of adversaries leveraging it in future attacks, Sygni