Cybersecurity and military secrets among documents accessed

Russian nation-state hackers targeting US contractors for sensitive defense information, FBI warns

Russian state-sponsored operatives are targeting US contractor networks to obtain sensitive defense information, the FBI has warned, with some gaining persistent access for at least six months.

A statement from the US Cybersecurity and Infrastructure Security Agency (CISA), released yesterday (February 16), details how it has observed the “regular targeting” of US cleared defense contractors (CDCs) through January 2020 to February 2022.

The joint release from CISA, the FBI, and NSA states that both large and small CDCs and subcontractors with varying levels of cybersecurity protocols and resources have been targeted.

These CDCs support contracts for the US Department of Defense (DoD) and wider intelligence community in various areas, including software development, data analytics, logistics, surveillance, reconnaissance, and targeting.

Access granted

Over a two-year period, Russian actors maintained persistent access to multiple CDC networks, in some cases for at least six months, said CISA.

The FBI, NSA, and CISA noted regular and recurring exfiltration of emails and data.

“For example, during a compromise in 2021, threat actors exfiltrated hundreds of documents related to the company’s products, relationships with other countries, and internal personnel and legal matters,” the release reads.

READ MORE Who is behind APT29? What we know about this nation-state cybercrime group

According to the agency, the threat actors used tactics including spear-phishing, credential harvesting, and brute-force attacks against accounts and networks with weak security.

“These actors take advantage of simple passwords, unpatched systems, and unsuspecting employees to gain initial access before moving laterally through the network to establish persistence and exfiltrate data,” the statement reads.

“The actors often maintain persistence by using legitimate credentials and a variety of malware when exfiltrating emails and data.”

This has enabled them to access “sensitive, unclassified information”, as well as CDC-proprietary and export-controlled technology.

Prime target

Some of the stolen data provides significant insight into US weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology, said CISA.

“Given the sensitivity of information widely available on unclassified CDC networks, the FBI, NSA, and CISA anticipate that Russian state-sponsored cyber actors will continue to target CDCs for US defense information in the near future.

“These agencies encourage all CDCs to apply the recommended mitigations in this advisory, regardless of evidence of compromise.”

Mitigations include employing multi-factor authentication (MFA), using strong, unique passwords, and implementing a software patch management program to reduce the number of known vulnerabilities in a CDC’s network.

YOU MAY LIKE APT focus: ‘Noisy’ Russian hacking crews are among the world’s most sophisticated