According to Microsoft’s Detection and Response Team (DART), state-sponsored hackers, including the SolarWinds hackers, Nobelium and others, track identities with password spraying.
Password spraying is a variant of what is known as a brute force attack, in which the perpetrators attempt to gain unauthorized access to a single account by repeatedly guessing the password within a short period of time.
DART identified two main password spray techniques including the first known as “low and slow,” which simply means that a determined attacker uses a sophisticated password spray that uses “several individual IP addresses to attack multiple accounts at the same time with a limited number of curated guesses.”
The other method, “availability and reuse,” exploits previously compromised credentials that are published and sold on the dark web. According to Microsoft, “attackers can utilize this tactic, also called ‘credential stuffing’ to easily gain entry because it relies on people reusing passwords and username across sites.”