The Cybersecurity and Infrastructure Security Agency (CISA) reported on Wednesday that over half of all cyberattacks on government and state-level bodies, as well as critical infrastructure entities, utilized valid accounts. The agency’s study of security breaches over 2022 revealed that threat actors most effectively executed their attacks via familiar techniques like phishing and using default credentials.
During 2022, CISA collaborated with the United States Coast Guard (USCG) in undertaking 121 Risk and Vulnerability Assessments (RVAs) on federal civilian agencies, select state, local, tribal, and territorial stakeholders, as well as high-priority public and private sector critical infrastructure operators.
Gabriel Davis, CISA’s risk operations federal lead, explained to Recorded Future News that the objective of these RVAs was to examine the defensive capabilities of organizations, giving the government an opportunity to gauge responses to sophisticated attacks. According to Davis, what was striking was the continued reliance of hackers on the same techniques. He said, “We’re seeing the same issues. Threat actors are modifying their TTPs but we’re not seeing a large deviation from the activity they’ve done in the past.”
Insights from these RVAs extend beyond a one-time audit, creating a long-term relationship with the organizations. CISA offers ongoing support to these entities, helping them elevate their cybersecurity defense posture. The agency also disseminates its RVA findings to other organizations that did not receive an RVA, encouraging them to scrutinize their network security measures.
The agency discovered that 54% of successful cyberattacks involved the misuse of valid credentials, which include unattended former employee accounts or default administrator accounts. Spearphishing, or the tactic of masquerading as a trustworthy colleague to trick individuals into clicking on malicious links, was also frequently employed, proving successful in 33% of the cases.
CISA found that 78% of spearphishing links or attachments were blocked at the device level, whereas only 13% were stopped at the network border level. The agency highlighted the importance of simple yet effective security measures like changing default passwords and raising awareness about phishing.
The report incorporated real-world examples of these tactics in action, citing attacks by the China-based hacker group APT41 as demonstrations of the tactics noted in the RVAs.
CISA, in collaboration with the USCG, provided the 121 surveyed organizations with a list of observations to bolster their security. These included secure password policies, phishing awareness programs, maintaining fully patched software, disabling unnecessary applications and network protocols, and establishing a public vulnerability disclosure reporting program.
In closing, Davis expressed optimism about the ongoing security efforts, asserting that organizations are on the right track with the implementation of proper controls and actions. “All the right controls are being put in place and all the right actions are being taken. With any other tasks it just comes down to how many man-hours you have to devote to any specific activity,” he said.