SolarWinds hackers have granted themselves high-level administrative privileges to spy on victims undetected, says DHS

The statement released Friday by the Department of Homeland Security represents the agency’s most detailed explanation of how the attackers were able to monitor high-value intelligence targets undetected for months.

The alert does not address what data hackers may have accessed or the scope of the breach and is limited to a description of the attack patterns themselves. A joint statement on Tuesday by intelligence officials said “fewer than ten agencies” appear to have been specifically targeted for spying.

Since then, however, the federal judiciary has said it is investigating a possible compromise in its electronic case management system, and the Justice Department has recognized that up to 3 percent of its Microsoft email accounts have been potentially accessed.

Cybersecurity experts and American officials said weeks ago that the attackers likely abused credentials and impersonated legitimate users to conduct their espionage campaign.

Now, the DHS Cyber ​​Security and Infrastructure Agency has confirmed what happened, describing step by step how the attackers hid their tracks.

First, attackers gained initial access to the victim by taking advantage of the SolarWinds vulnerability previously disclosed or by using other methods, such as password guessing, which CISA said it is still investigating.

Then, attackers attempted to impersonate one or more real users to access an organization’s cloud services and identity management provider, such as Microsoft 365 or Azure Active Directory

Security experts have described services like Azure Active Directory as holding “the keys to the kingdom” because, for many companies, it is the software used to create and manage network accounts, passwords and privileges.

After attackers gained access to the organization’s identity provider, they were able to set permissions for themselves to clandestinely access other programs and applications, CISA said.

Attacks on a platform like Active Directory can be extremely powerful, said Robert M. Lee, CEO of cybersecurity company Dragos.

“It is a system that connects all other systems,” he said in a recent interview.

Cedric Leighton, a former NSA employee and CNN military analyst, said the report demonstrates the sophistication of the attackers.

“This is the last key to understanding the SolarWinds hack,” said Leighton. “The fact that the credentials have been compromised – including multi-factor identity authentication systems – shows how extensive this attack really was. The sideways references show that they moved across networks to compromise much more data than previously thought. In essence, this is the admission that the possible compromise of our systems goes far beyond what was originally reported. This is big business. “