Valid account credentials are at the root of most successful threat actor intrusions of critical infrastructure networks and state and local agencies, according to the Cybersecurity and Infrastructure Security Agency.

Valid credential compromise combined with spear-phishing attacks accounts for nearly 90% of infiltrations last year.

Valid accounts, including former employee accounts not removed from the Active Directory and default administrator credentials, were responsible for 54% of all attacks studied in the agency’s annual risk and vulnerability assessment released Wednesday.

Spear-phishing links — malware-laced emails sent to targeted individuals — were responsible for 1 in 3 attacks, the report found.

The success rate of these techniques underscores the staying power of the most common methods threat actors use to gain initial access to targeted systems.

“Gaining initial access to an organization’s network is the first step in a successful attack,” CISA wrote in its analysis. “If threat actors establish initial access, then they could execute other techniques such as privilege escalation to ultimately steal information.”

The next closest techniques, spear-phishing attachments and external remote services, were each used 3% of the time to gain initial access.

Exploits of public-facing applications were responsible for just 1% of all attacks studied during the federal government’s fiscal year 2022, which ended Sept. 30.

CISA and the U.S. Coast Guard Cyber Command conducted 121 risk and vulnerability assessments across multiple critical infrastructure sectors during the period and found similarities across the compromises.

“Many organizations across varying critical infrastructure sectors exhibited the same vulnerabilities,” the agencies said in the report.

CISA found many real-world attacks followed a typical order of operations. The threat actor:

• Gained initial access
• Executed code to establish a foothold and maintain persistence on the network
• Used privilege escalation to gain administrative rights
• Used defense evasion techniques to avoid detection and attempt to steal credential access
• Discovered systems and networks to get a lay of the land and identify sensitive data
• Used lateral movement to access sensitive data
• Collected sensitive data
• Used command and control to exfiltrate data and potentially maintain control after the attack.

While threat actors consistently change tools and techniques to initiate attacks, federal cyber authorities said the same methods are being used to obtain unauthorized access to the country’s most critical networks and systems.