urlscan.io logo urlscan.io
SecurityTrails logo

therecord.media Open in urlscan Pro
2606:4700::6812:1d78  Public Scan

Back to summary
URL: https://therecord.media/cisa-red-team-large-critical-infrastructure-organization/
Submission: On March 01 via api from TR — Scanned from DE

Form analysis 4 forms found in the DOM

GET https://therecord.media/

<form role="search" method="get" class="search-form" action="https://therecord.media/">
  <input type="text" placeholder="Search" value="" name="s">
  <input type="submit" value="go">
</form>

<form class="search-form">
  <a href="#">
<i class="fas fa-search search-icon"></i>
<i class="fas fa-times close-icon"></i>
</a>
</form>

GET https://therecord.media/

<form role="search" method="get" class="search-form" action="https://therecord.media/">
  <input type="text" placeholder="Search" value="" name="s">
  <input type="submit" value="go">
</form>

POST 

<form action="" method="post" class="newsletterForm">
  <input type="email" name="email" placeholder="your e-mail address">
  <input type="hidden" name="newSubscription" value="1">
  <input type="submit" value="go">
</form>

Text Content

This website stores cookies on your computer. These cookies are used to improve
your website experience and provide more personalized services to you, both on
this website and through other media. To find out more about the cookies we use,
see our Privacy Policy.

Accept
 * Leadership
 * Cybercrime
 * Nation-state
 * Government
 * People
 * Technology

 * About
 * Contact
 * Click Here Podcast

 * 




SUBSCRIBE TO THE RECORD



Image: Department of Defense / Lisa Ferdinando / Flickr
Joe Warminsky February 28, 2023


CISA RED-TEAMED A ‘LARGE CRITICAL INFRASTRUCTURE ORGANIZATION’ AND DIDN’T GET
CAUGHT

Briefs
Government
Industry
Technology
 * 
 * 
 * 
 * 
 * 

Joe Warminsky

February 28, 2023

 * Briefs
 * Government
 * Industry
 * Technology

 * 
 * 
 * 
 * 
 * 


CISA RED-TEAMED A ‘LARGE CRITICAL INFRASTRUCTURE ORGANIZATION’ AND DIDN’T GET
CAUGHT

Hackers working for the federal government only had moderate success in
attacking a “large critical infrastructure organization” last year, but were
able to get in and get out without being detected, the Cybersecurity and
Security Infrastructure Agency (CISA) said Tuesday.

CISA had the organization’s permission for the stealthy three-month “red team
assessment” in 2022 to get a full view of the network’s weaknesses. Certain
personnel at the target organization had “some high-level details of the
engagement,” the agency said.

“Despite having a mature cyber posture, the organization did not detect the red
team’s activity throughout the assessment, including when the team attempted to
trigger a security response,” CISA said in a report intended to advise critical
infrastructure companies about security measures.

It’s the first time the agency has published an advisory on one of its red team
assessments, a spokesperson told The Record.

“Our recommendations provided to the assessed organizations are applicable to
help other entities assess and improve their cybersecurity,” the spokesperson
said. “We encourage all organizations to read this latest advisory and implement
the recommendations therein.”

The hackers had some early success, the agency said, but eventually came up
against the organization’s core security measures.

“The team gained persistent access to the organization’s network, moved
laterally across the organization’s multiple geographically separated sites, and
eventually gained access to systems adjacent to the organization’s sensitive
business systems (SBSs),” CISA said.

That’s where they were stymied: In one case, multi-factor authentication (MFA)
blocked attempts to infiltrate an SBS, CISA said. MFA usually involves a second
form of identifying a user — such as a physical key or a code-generating app —
beyond a username password. In trying to access another SBS, the team simply ran
out of time, the agency said.

The CISA Red Team has the legal authority, upon request, to “provide analyses,
expertise, and other technical assistance to critical infrastructure owners and
operators and provide operational and timely technical assistance to Federal and
non-Federal entities with respect to cybersecurity risks,” the agency said.

The report details all of the team’s tactics, techniques and procedures.

The hackers began with spearphishing specific employees, ultimately compromising
two workstations. They used that access to gather more information about the
network. Afterward, the red team did more successful spearphishing — this time
of employees with administrative access.

The tools included Cobalt Strike, commercially available software that is
intended for penetration testing on networks but is also repurposed by malicious
hackers.

The CISA report does not identify the target organization’s area of critical
infrastructure. The agency lists 16 sectors under that umbrella, including
manufacturing, energy, financial services, healthcare, transportation and water
systems. Protecting those industries has been a centerpiece of the government’s
cybersecurity strategy in recent years, with President Joe Biden signing
legislation in March 2022 requiring critical infrastructure organizations to
report cyber incidents within 72 hours.

 * 
 * 
 * 
 * 
 * 

Tags
 * CISA
 * Critical Infrastructure
 * hacking
 * red team

Joe Warminsky is the news editor for Recorded Future News. He has more than 25
years experience as an editor and writer in the Washington, D.C., area. Most
recently he helped lead CyberScoop for more than five years. Prior to that, he
was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent
more than a decade editing coverage of Congress for CQ Roll Call.

Previous article Next article
DISH tells SEC that ransomware attack caused outages; personal info may have
been stolen
LastPass says attacker hacked employee’s home computer to access corporate vault


BRIEFS

 * Victims of MortalKombat ransomware can now decrypt their locked files for
   free February 28, 2023
 * US Marshals Service becomes latest law enforcement agency hit by hackers
   February 28, 2023
 * Minneapolis Public Schools still investigating what caused ‘encryption event’
   February 27, 2023
 * More trouble from an APT with Colombia and Ecuador on its mind February 27,
   2023
 * DISH says ‘system issue’ affecting internal servers, phone systems February
   27, 2023
 * DNA Diagnostics Center to pay $400,000 fine for 2021 data breach February 24,
   2023
 * Smuggler provided sensitive US tech to Russian, N. Korean governments,
   prosecutors say February 24, 2023
 * Oakland says 311, business license systems still down, but National Guard is
   helping February 24, 2023


RANSOMWARE TRACKER: THE LATEST FIGURES [JANUARY 2023]



Ransomware tracker: the latest figures [January 2023]






2022 ADVERSARY INFRASTRUCTURE REPORT



2022 Adversary Infrastructure Report












SEASON OF GIVING, SEASON OF TAKING: HEIGHTENED FRAUD DURING HOLIDAY SHOPPING



Season of Giving, Season of Taking: Heightened Fraud During Holiday Shopping












H1 2022: MALWARE AND VULNERABILITY TRENDS REPORT



H1 2022: Malware and Vulnerability Trends Report








RUSSIAN INFORMATION OPERATIONS AIM TO DIVIDE THE WESTERN COALITION ON UKRAINE



Insikt Group: Russian Information Operations








VULNERABILITY SPOTLIGHT: DIRTY PIPE



Insikt Group: Dirty Pipe








GLOSSARY

Threat Intelligence

Threat Intelligence Feeds

Threat Intelligence Platform

Payment Fraud Intelligence

 * 
 * 
 * 
 * 
 * 

 * Privacy Policy

© Copyright 2023 | The Record from Recorded Future News