Identity infrastructure is not ready for state-sponsored intrusion

At a glance

What this is: This is an independent analysis of a state-sponsored identity intrusion pattern that targets authentication, mailbox permissions, and legacy protocols rather than brute-forcing networks.

Why it matters: It matters because IAM, PKI, and zero-trust teams need to treat identity trust, protocol choice, and credential lifecycle as frontline controls, not back-end hygiene.

By the numbers:

• Russian GRU hackers are executing a persistent cyber espionage campaign across 10+ nations.

👉 Read Axiad's analysis of state-sponsored identity attacks and PKI defense

Context

Identity infrastructure is the entry point in this campaign, not a supporting layer. The article describes Russian GRU activity that relies on password spraying, phishing, malware, weak authentication, misconfigured mailbox permissions, and outdated protocols such as NTLM to break identity trust and move into target environments.

For IAM and PKI teams, the message is straightforward: authentication strength, permission hygiene, and protocol retirement are part of the attack surface. The article frames certificate-based authentication as a better trust model for on-prem and hybrid environments, but the underlying problem is broader than login hardening alone.

Key questions

Q: How should security teams reduce risk from password spraying and phishing against identity systems?

A: Teams should reduce the number of sign-in paths that depend on guessable or replayable credentials, then favour phishing-resistant authentication for high-value users and systems. The goal is to make identity trust harder to steal and easier to verify. Password policy alone is not enough if legacy protocols, weak recovery flows, or permissive remote access still exist.

Q: Why do legacy protocols like NTLM still increase identity risk?

A: Legacy protocols preserve older trust assumptions that modern attackers can exploit more easily than cryptographic authentication. They often remain in place for compatibility, which makes them attractive entry points when stronger controls exist elsewhere. If a threat actor can choose the weakest accepted path, the environment behaves as if the weakest protocol is the real policy.

Q: How do mailbox permissions turn a valid login into broader compromise?

A: Mailbox delegation and inherited permissions can expose communications, attachments, and administrative reach beyond what the user should normally see. A valid login is only the first step; over-permissioned mail access can turn that foothold into espionage or lateral movement. Teams should treat email permission models as part of identity security, not as a separate admin task.

Q: Who is accountable when certificate-based authentication is rolled out but lifecycle controls are weak?

A: Accountability sits with the identity, PKI, and platform owners together because certificate strength depends on governance across issuance, renewal, revocation, and decommissioning. If those controls are weak, the organisation has simply replaced one credential type with another unmanaged one. Ownership needs to be explicit before certificates are trusted as a primary authentication layer.

Technical breakdown

Why weak authentication becomes the first intrusion path

Password spraying and phishing work because they attack the trust boundary that identity systems expose first. When organisations still rely on guessable credentials, MFA fatigue, or poorly governed sign-in flows, attackers do not need to defeat the network itself. They only need one successful identity assertion. That is especially dangerous in environments where remote access, email, and internal apps all reuse the same authentication trust chain. Certificate-based authentication reduces that exposure by replacing shared human guesswork with cryptographic proof of identity, but only when certificate issuance and lifecycle controls are actually enforced.

Practical implication: reduce exposure by retiring weak authentication paths before attackers can exploit them.

How mailbox permissions and legacy protocols extend attacker reach

Misconfigured mailbox permissions and legacy protocols like NTLM turn one compromised identity into broader access. Mailbox delegation can expose sensitive communications, while NTLM remains easier to abuse than modern, phishing-resistant methods because it preserves older trust assumptions. In mixed on-prem and cloud estates, those assumptions often survive longer than the systems themselves. That creates a layered identity problem: the credential may be strong, but the protocol and permissions model still allow abuse. PKI helps only if it is paired with permission review, protocol deprecation, and clean identity boundaries across Exchange, AD, and RDP.

Practical implication: audit delegated mailbox access and phase out NTLM where identity trust is still inherited from legacy systems.

Why certificate-based authentication changes the trust model

Certificate-based authentication shifts verification from something a user knows to something an organisation issues and controls. That makes brute-force guessing and token replay much harder, and it aligns better with zero-trust expectations because the authentication event is cryptographically bound to a managed identity. But PKI is not self-governing. It introduces lifecycle work across issuance, renewal, revocation, and policy enforcement, especially in hybrid environments where old and new authentication models coexist. The real control value comes from treating certificates as governed identity assets, not just stronger login tokens.

Practical implication: manage certificates as governed identities with explicit issuance, renewal, and revocation controls.

Threat narrative

Attacker objective: The attacker’s objective is persistent espionage access by abusing identity trust rather than defeating perimeter controls.

1. Entry begins with password spraying, phishing lures, or abuse of weak authentication paths that let the attacker obtain a valid identity foothold.
2. Escalation follows through misconfigured mailbox permissions, legacy NTLM use, and vulnerable VPN or remote access paths that broaden what the initial identity can reach.
3. Impact is the compromise of identity trust, enabling persistent espionage access into logistics and tech environments supporting Ukraine.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity trust, not network hardness, is the decisive control boundary in this campaign. The article shows that Russian GRU operators are not relying on noisy perimeter attacks alone. They are targeting authentication weakness, delegated mailbox access, and legacy protocols because identity systems still determine who gets in and what they can touch. The implication is that IAM, PKI, and protocol governance now sit on the front line of state-sponsored intrusion defence.

Legacy authentication is a structural liability, not a compatibility issue. NTLM persists because many organisations still treat old protocols as transitional rather than exploitable. That assumption fails when a threat actor deliberately selects the weakest identity path available. The implication is that identity programmes must treat protocol retirement as risk reduction, not technical housekeeping.

Certificate-based authentication is only as strong as its lifecycle governance. PKI improves assurance by binding access to managed credentials, but it also creates new failure points if issuance, renewal, and revocation are not disciplined. In hybrid environments, unmanaged certificate sprawl can become a new form of identity debt. Practitioners should evaluate PKI as a governed identity layer, not a silver bullet.

Privilege is often hidden in mailbox and remote-access configuration, not just in IAM roles. The article’s reference to mailbox permissions and RDP shows how operational access is frequently wider than policy intends. Those settings can turn a successful sign-in into broad read or lateral movement capability. Practitioners need to inspect where identity trust is amplified after authentication, because that is where real compromise depth is created.

From our research:

• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• For a broader identity baseline, review 52 NHI Breaches Analysis for recurring failure patterns across credential exposure and access abuse.

What this signals

Certificate-based authentication will not compensate for unmanaged identity lifecycle. If organisations continue to leave credentials, mailbox entitlements, and legacy protocols in place, the attack surface remains broad even when the login method improves. The programme signal is clear: identity teams need a retirement plan for weak trust mechanisms, not just a new authentication standard.

The practical pressure point is governance, not tooling volume. Organisations that maintain hybrid identity estates should expect more scrutiny of mailbox delegation, remote-access protocols, and certificate lifecycle ownership because those are the places attackers turn a single sign-in into durable access.

Identity blast radius: The next maturity test is whether a successful login can be contained before it becomes mailbox access, protocol abuse, or persistent espionage. Teams that can map that path should prioritise access boundaries and certificate lifecycle controls now.

For practitioners

• Retire weak authentication paths Prioritise password spraying resistance, phishing-resistant sign-in, and removal of legacy login paths that still accept guessable or replayable credentials.
• Review mailbox delegation and access inheritance Audit delegated mailbox permissions, shared inbox access, and inherited administrative rights that let a single compromised identity reach communications at scale.
• Deprecate NTLM in phased increments Map every application and remote-access dependency that still uses NTLM, then replace or isolate those paths before attackers can target them as the weakest trust layer.
• Treat certificates as governed identity assets Enforce issuance, renewal, and revocation controls so certificate-based authentication does not become another unmanaged credential lifecycle problem in hybrid environments.

Key takeaways

• The breach pattern is about identity trust abuse, not perimeter defeat.
• The scale of exposure comes from weak authentication, legacy protocols, and over-permissioned mailbox access working together.
• Phasing out NTLM and governing certificate lifecycle are the controls most likely to reduce the blast radius.

Key terms

• Certificate-Based Authentication: An authentication method that uses cryptographic certificates instead of shared secrets or passwords to prove identity. It is stronger than guessable credentials because the proof is bound to a managed key pair, but it still depends on disciplined issuance, renewal, and revocation across the certificate lifecycle.
• Legacy Authentication: Older identity protocols and sign-in methods that remain in use for compatibility even after better options exist. These systems often preserve weak trust assumptions, which makes them attractive to attackers who want to exploit the easiest accepted path into an environment.
• Mailbox Delegation: A permission model that allows one identity to access another mailbox or shared inbox. It is operationally useful, but if it is over-broad or poorly reviewed it can turn a single valid login into access to communications, attachments, and internal context far beyond the intended scope.

Deepen your knowledge

NHI governance, machine identity security, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Axiad: Authentication State-Sponsored Cyber Threats, Is Your Identity Infrastructure Ready? Read the original.