According to the American Cybersecurity and Infrastructure Security Agency (CISA), the attackers behind the SolarWinds hack also attempted to guess passwords. Some of these attempts were successful.
In an update to its message about the SolarWinds hack, the CISA indicates that password guessing, password spraying and inappropriately secured administrative credentials accessible via external remote access services were also used in the attack.
Password spraying is a more sophisticated version of password guessing, where frequently used passwords were only attempted on login pages attempted at low frequency. In this way, the attackers try to prevent the target account getting locked out.
As soon as the attackers were logged in, they could obtain administrator rights and thus gain access to other resources in the networks. No additional passwords were required, let alone two-step authentication.
Research in progress
Research into the SolarWinds hack is still in full swing. Hundreds of networks within the American government appear to have been affected by the hack. US security services have strong suspicions that the attacks are of Russian origin.