Compromised email accounts take place many times around the world every day of the week and it is estimated that 2.5 billion accounts were hacked during 2019 which equates to 6.85 million accounts being hacked every day.

Cybercriminals are always searching for high value accounts that have access to high value assets and taking over an email account is the first step into compromising a database. A perfect recent example is the recent compromises of staff email account at the U.S. Treasury Department last December. The seizure of privileged user accounts did not take place due to a typical credential stuffing attack. It was actually the result of a complex software chain attack.  An official statement shared by Senate Finance Committee ranking member, Ron Wyden said: “Hackers broke into systems in the Departmental Offices division of Treasury, home to the department’s highest-ranking officials.”

These hacking attempt were part of the highly-publicized SolarWinds Attack in which foreign hackers, most likely funded by the Russian government in some manner, targeted a weakness in the SolarWinds Orion monitoring and management software.  This permitted the hackers to easily sign in without having to guess usernames and passwords.  Due to this, the hackers could pretend to be users and operate freely within the compromised groups.  Sadly, no one knows for sure what data was illegally taken or the full slate of actions carried out by the involved cybercriminals.  Microsoft has revealed that they addressed the flaw exploited by the attack. Unfortunately, the hackers were able to steal as many as 18,000 government and private networks, possibly seizing user ID’s, passwords, financial records, source code and other sensitive or high value data.

Email accounts are one of the flaws that hackers often focus on.  In the same manner that hackers leveraged the SolarWinds exploit to potentially break onto thousands of networks, the leveraging power of a single compromised email can lead to compounding consequences due to the fact that a single email address is connected to other user accounts, giving hackers access to other valuable databases

As politicians, regulators, cybersecurity experts and software developers try to figure out what could have been done to mitigate this attack, it is clear that there is no simple answer. Supply chain attacks are tricky to defend against since you are depending on the software vendor to safeguard their source code and platforms.  In this instance, the usual recommendations would not have done anything to stop this attack.

  • Groups are told to only download signed software versions, but the involved software in this incident was signed.
  • Updating to the most recent software version would not have made any difference in this instance because it was the latest software version that was infiltrated.
  • The attack was carried out in a highly concealed and stealthy manner and would have been indictable by everyday monitoring tactics.

The simplicity at which highly privileged user accounts within the United States government were accessed, should be a wakeup call to all businesses.  In today’s highly connected and digital world, a zero-trust security strategy must be put in place.