CISA red-teamed a 'large critical infrastructure organization' and didn't get caught

Hackers working for the federal government only had moderate success in attacking a "large critical infrastructure organization" last year, but were able to get in and get out without being detected, the Cybersecurity and Security Infrastructure Agency (CISA) said Tuesday.

CISA had the organization's permission for the stealthy three-month "red team assessment" in 2022 to get a full view of the network's weaknesses. Certain personnel at the target organization had "some high-level details of the engagement," the agency said.

"Despite having a mature cyber posture, the organization did not detect the red team’s activity throughout the assessment, including when the team attempted to trigger a security response," CISA said in a report intended to advise critical infrastructure companies about security measures.

It's the first time the agency has published an advisory on one of its red team assessments, a spokesperson told The Record.

"Our recommendations provided to the assessed organizations are applicable to help other entities assess and improve their cybersecurity," the spokesperson said. "We encourage all organizations to read this latest advisory and implement the recommendations therein."

The hackers had some early success, the agency said, but eventually came up against the organization's core security measures.

"The team gained persistent access to the organization’s network, moved laterally across the organization’s multiple geographically separated sites, and eventually gained access to systems adjacent to the organization’s sensitive business systems (SBSs)," CISA said.

That's where they were stymied: In one case, multi-factor authentication (MFA) blocked attempts to infiltrate an SBS, CISA said. MFA usually involves a second form of identifying a user — such as a physical key or a code-generating app — beyond a username password. In trying to access another SBS, the team simply ran out of time, the agency said.

The CISA Red Team has the legal authority, upon request, to "provide analyses, expertise, and other technical assistance to critical infrastructure owners and operators and provide operational and timely technical assistance to Federal and non-Federal entities with respect to cybersecurity risks," the agency said.

The report details all of the team's tactics, techniques and procedures.

The hackers began with spearphishing specific employees, ultimately compromising two workstations. They used that access to gather more information about the network. Afterward, the red team did more successful spearphishing — this time of employees with administrative access.

The tools included Cobalt Strike, commercially available software that is intended for penetration testing on networks but is also repurposed by malicious hackers.

The CISA report does not identify the target organization's area of critical infrastructure. The agency lists 16 sectors under that umbrella, including manufacturing, energy, financial services, healthcare, transportation and water systems. Protecting those industries has been a centerpiece of the government's cybersecurity strategy in recent years, with President Joe Biden signing legislation in March 2022 requiring critical infrastructure organizations to report cyber incidents within 72 hours.