Stolen credentials opened the door to months of undetected access inside a critical NHS supplier, eventually forcing emergency and out-of-hours GP services back to paper processes. The initial foothold required nothing more sophisticated than credentials most likely obtained through phishing, after which the intruders mapped the environment and prepared their payload without triggering meaningful resistance.
Verizon’s 2023 DBIR shows stolen credentials as the leading breach vector for five straight years, while IBM’s 2023 Cost of a Data Breach Report records an average of 277 days to identify and contain an incident. These numbers align with the Advanced timeline, where ordinary reusable secrets allowed prolonged internal movement before ransomware execution.
Why Reusable Credentials Permitted Extended Dwell Time
Once valid credentials were obtained, the attackers authenticated as legitimate users and moved laterally. Passwords paired with SMS OTPs, TOTP codes, or push approvals offered no durable barrier because each factor can be captured and replayed. The absence of cryptographic binding between the session and a specific device meant the intruders could complete authentication exactly as the account holder would, using the same secrets from any location.
This pattern repeats because the authentication model itself leaves interceptable material available at multiple points in the identity lifecycle. Registration, device onboarding, and routine logins all rely on secrets that can be phished, intercepted, or socially engineered. After the first compromise, every subsequent step proceeds without additional friction.
How Centralized Credential Stores Amplify the Risk
Centralized stores of reusable secrets create a single point of failure that persists across an organization’s entire infrastructure. When those secrets are captured, the attacker inherits the same privileges and session capabilities as the original user. In the Advanced environment, this allowed months of reconnaissance and preparation because the authentication system could not distinguish between the legitimate holder and an impersonator presenting the same factors.
The result is an architecture that favors detection over prevention. Organizations must rely on log analysis and behavioral monitoring to notice activity that should never have been possible in the first place.
Device-Bound Public-Key Authentication as a Preventive Alternative
MFA 2.0 is phish-proof, passwordless authentication built on public-key cryptography, the same technology used in Apple Pay and Google Pay. It uses device-bound credentials with no central credential database and operates as same-device authentication without requiring a second device. The private key never leaves the hardware or secure enclave, so the service only ever receives the matching public key. At login the system issues a challenge that only the enrolled device can answer.
This model is prevention-focused. The attack cannot occur because there are no credentials to compromise at any stage of the identity lifecycle, including registration, device onboarding, authorization, authentication, and decommissioning. Remote administrators at Advanced would have relied on device-bound key pairs with no passwords or OTPs available for theft. Even if network access were gained through other means, the absence of the required private key would have blocked authentication completion.
