Specialists from Sophos told details about a cyberattack by unknown groups on the networks of a regional US government agency. Hackers spent more than five months searching for the necessary information, and two or more groups were active in the victim’s network before the latter deployed the payload of the Lockbit ransomware.
During the entire period of the attack, hackers used the Chrome browser to search for (and download) hacking tools to the compromised computer where they got their initial access. Although the attackers deleted many event logs from the controlled systems, the experts managed to detect some digital traces.
As it became known thanks to the logs, the attackers installed various commercial remote access tools on available servers and desktops. The criminals preferred the ScreenConnect IT management tool, but later switched to AnyDesk, trying to circumvent the countermeasures of information security experts. Logs of downloading various RDP scanning tools, exploits, password brute force, and evidence of successful use of these tools were also found.
Researchers have identified many other malicious programs, from password brute-force software to cryptominers and pirated versions of commercial VPN client software. There was evidence that the attackers used free tools like PsExec, FileZilla, Process Explorer or GMER to execute commands, move data from one system to another, and shut down processes that hindered their efforts.
The technicians managing the affected network left the protective function disabled after the service was completed. As a result, some systems remained vulnerable to attackers who disabled endpoint protection on servers and desktops.
The initial compromise occurred almost six months before investigators discovered the hack. The attackers were lucky because the account they used to hack through RDP was not only a local administrator on the server, but also had domain administrator rights, which gave her the opportunity to create administrator-level accounts on other servers and desktops.
After a three-week break, the attackers remotely connected and installed the Mimikatz tool. The first hacking attempt was prevented, but later hackers managed to launch Mimikatz through a compromised account. Cybercriminals also tried to collect credentials using another tool called LaZagne.
More than four months after the initial compromise, the attackers’ behavior suddenly became clearer and more targeted, and traces of IP addresses were traced to Estonia and Iran.
Six months after the attack began, hackers launched Advanced IP Scanner and almost immediately began moving across the network to several confidential servers. Within a few minutes, the attackers gained access to a lot of confidential data.