Sophos researchers discovered that two threat actors groups had lurked in the network of a regional US government agency and performed reconnaissance and remote access operations for at least five months prior to deploying LockBit ransomware, BleepingComputer reports. Attackers initially leveraged a misconfigured firewall's open desktop protocol to access the agency's network before using Google Chrome for downloading its attack toolset, which includes brute-forcing and scanning utilities, free file management and command execution tools, and a commercial VPN, the report revealed. Aside from exfiltrating valuable account credentials, threat actors also stole a local server admin's credentials. However, the operation was taken over by a more sophisticated attacker five months following the initial compromise, with the threat actor deploying Mimikatz and LaZagne for credential extraction. "On the first day of the sixth month of the attack, the attacker made their big move, running Advanced IP Scanner and almost immediately beginning lateral movement to multiple sensitive servers. Within minutes, the attacker has access to a slew of sensitive personnel and purchasing files," the report said. While Sophos has been able to shut down servers that enabled remote access, LockBit has already encrypted some of the agency's network.