Threat actors spent a minimum of five months within a regional U.S. government agency’s network before detonating a LockBit ransomware payload, according to a Tuesday report from Sophos.
The report did not name the agency, nor what state or local government said agency is connected to. Instead, Sophos researchers Andrew Brandt and Angela Gunn provided a picture of the attack and used event logs the hackers hadn’t deleted to piece together a timeline of events.
LockBit is a prominent ransomware-as-a-service gang that has been active since at least mid-2019. As is standard practice now, LockBit uses a double-extortion method with which it both encrypts data and threatens to leak a victim’s data if the victim doesn’t pay. The ransomware, offered primarily to Russian-speaking users, has been used in a number of notable attacks, including last year’s breach against consulting giant Accenture.
The researchers wrote that attackers spent five months remotely Googling for — and downloading — hacking tools from the agency’s own machines before successfully deploying LockBit ransomware.
The tools included ScreenConnect, now called ConnectWise Control, and later AnyDesk for remote access; attackers also used remote desktop protocol (RDP) scanning, exploits and brute-force password tools, as well as cryptocurrency miners and pirated VPN software. Moreover, the actors “used freeware tools like PsExec, FileZilla, Process Explorer, or GMER to execute commands, move data from one machine to another, and kill or subvert the processes that impeded their efforts.”
Brandt and Gunn argued based on behavioral data that two or more groups were “poking around” in this five-month period. This is based on data suggesting attackers got more “focused” four months into the breach, as well as new IP addresses that were traced to a wide variety of nations — though Sophos concedes the addresses may have just been Tor exit nodes.
Sophos became involved a few days before the attackers deployed the ransomware. In the month before, the actors used their access to dump account credentials, check RDP abilities, create new user accounts and run network enumeration tools, which Sophos described as “table-setting activities.”
On the day the threat actors launched the ransomware attack, Sophos’ team used defensive measures to stop some malware installation attempts. However, as Brandt and Gunn wrote, “compromised credentials allowed the attacker to outflank those protections.”
The ransomware attack was successful, but a number of machines were not encrypted, and Sophos took steps to shut down servers that provided the attackers with remote access. In addition to the standard ransom note, attackers included an advertisement apparently intended for insiders at the agency looking to sell access. It is unknown if the agency paid LockBit’s ransom.
Sophos declined SearchSecurity’s request for additional comment.
Brandt and Gunn noted multiple weaknesses in the defensive posture of the unnamed agency. According to the report, the victim organization lacked both an organizational implementation of multifactor authentication protection as well as a firewall rule to prevent “remote access to RDP ports in the absence of a VPN connection.”
“Responding to alerts, or even warnings about reduced performance, promptly would have prevented a number of attack stages from bearing fruit,” the report said. “Disabling features like tamper protection on endpoint security software seemed to be the critical lever the attackers needed to completely remove protection and complete their jobs without hindrance.”
Alexander Culafi is a writer, journalist and podcaster based in Boston.