Russian cyber hackers gain access to unclassified American cleared defense contractor data

U.S. security agencies identified that Russian state-sponsored cyber hackers have targeted cleared defense contractor (CDCs) networks for over two years. These intrusions have led to adversaries obtaining access to sensitive American defense information and technology, potentially exposing program developments and internal company communications, according to a joint cybersecurity advisory issued on Wednesday.

The advisory said that the Russian intrusions have led to the exfiltration of information that deals with weapons and missile development, vehicle and aircraft design, software development and information technology. From at least January 2020 through this month, the cyber hackers also compromised data analytics, logistics, email communications, contract details, product development, tests and timelines, foreign partnerships, and funding details of the CDCs networks.

“Unclassified emails among employees or with government customers often contain proprietary details about technological and scientific research, in addition to program updates and funding statuses,” according to the alert issued by the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA). “The actors leverage access to CDC networks to obtain sensitive data about U.S. defense and intelligence programs and capabilities. Compromised entities have included CDCs supporting the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and DoD and Intelligence programs,” it added.

The alert said that cyber hackers gained significant insights into U.S. weapons platform development and deployment timelines, plans for communications infrastructure, and specific technologies employed by the U.S. government and military. Although many contract awards and descriptions are publicly accessible, program developments and internal company communications remain sensitive, it added. 

During the two-year period, the Russian hackers have maintained persistent access to multiple CDC networks, and in some cases for at least six months, the alert said. “In instances when the actors have successfully obtained access, the FBI, NSA, and CISA have noted regular and recurring exfiltration of emails and data. For example, during a compromise in 2021, threat actors exfiltrated hundreds of documents related to the company’s products, relationships with other countries, and internal personnel and legal matters,” it added. 

Through these intrusions, the Russian state-sponsored hackers have acquired unclassified CDC-proprietary and export-controlled information, which “provides significant insight into U.S. weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology,” the alert said. By acquiring proprietary internal documents and email communications, adversaries may be able to adjust their own military plans and priorities, hasten technological development efforts, inform foreign policymakers of U.S. intentions, and target potential sources for recruitment, it added.

Russian hackers use brute force methods, spearphishing, harvested credentials, and known vulnerabilities to gain initial access to CDC networks, according to the advisory. “After gaining access to networks, the threat actors map the Active Directory (AD) and connect to domain controllers, from which they exfiltrate credentials and export copies of the AD database ntds.dit [T1003.003]. In multiple instances, the threat actors have used Mimikatz to dump admin credentials from the domain controllers,” it added.

Using compromised M365 credentials, including global admin accounts, the Russian state-sponsored hackers can gain access to M365 resources, including SharePoint pages, user profiles, and user emails, the joint advisory said. Cyber hackers routinely use virtual private servers (VPSs) as an encrypted proxy. They use VPSs and small office and home office (SOHO) devices, as operational nodes to evade detection.

In multiple instances, the cyber hackers have maintained persistent access for at least six months, the alert said. “Although the actors have used a variety of malware to maintain persistence, the FBI, NSA, and CISA have also observed intrusions that did not rely on malware or other persistence mechanisms. In these cases, it is likely the threat actors relied on possession of legitimate credentials for persistence, enabling them to pivot to other accounts, as needed, to maintain access to the compromised environments,” it added. 

The FBI, NSA, and CISA have urged all CDCs to investigate suspicious activity in their enterprise and cloud environments. It also recommended implementing robust log collection and retention, while also looking for behavioral evidence or network and host-based artifacts from known TTPs associated with this activity.

Organizations with evidence of compromise should assume full identity compromise and initiate a full identity reset, the joint cybersecurity advisory said. In addition, such enterprises must reset passwords for all local accounts, and reset all domain user, admin, and service account passwords. 

All CDCs have been advised to enable multi-factor authentication (MFA) for all users, enforce strong and unique passwords, introduce account lockout and time-based access features, and reduce credential exposure using virtualization solutions on modern hardware and software. They also recommended establishing centralized log management, initiating software and patch management program, employing antivirus programs, using endpoint detection and response (EDR) tools, maintaining rigorous configuration management programs, and enforcing the principle of least privilege.  

“Over the last several years, Russian state-sponsored cyber actors have been persistent in targeting U.S. cleared defense contractors to get at sensitive information,” Rob Joyce, director of NSA cybersecurity, said in a media statement. “Armed with insights like these, we can better detect and defend important assets together,” he added.

Last week, the CISA issued a ‘Shields Up’ alert that notifies every organization in the country of potential risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety. The warning came in the wake of increasing geopolitical tensions brought about by Russia’s potential invasion of Ukraine.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.