Indicates that a malicious actor has conducted additional activities on a compromised system, such as collecting data, deploying more malware, or establishing persistent access. Some documents—within both the IC and the private sector—use exploited and compromised synonymously. In practice, however, cyber actors may compromise more accounts and systems than they exploit, in part because of the availability of tools to automate the process of compromising vulnerable systems. Distinguishing whether and how an actor has made use of a compromised system—whenever available intelligence allows—aids in understanding the impact and implications of the malicious cyber activity.

Source: Cyber Threats to Elections – A Lexicon, Cyber Threat Intelligence Integration Center & Office of the Director of National Intelligence, https://www.dni.gov/files/CTIIC/documents/CTIIC_2018_Lexicon_without_banner_small_file_for_Post.pdf