The Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA), issued a joint Cybersecurity Advisory titled, “Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology.” Compromised entities have included cleared defense contractors (CDCs) supporting the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and Intelligence Community programs.
Over the last two years, both large and small CDCs and subcontractors supporting various defense industries have been observed being targeted for unclassified proprietary and export-controlled information such as weapons development, communications infrastructure, technological and scientific research, and other proprietary details. In the advisory, the three agencies outline the activities and tactics used by the Russian state-sponsored cyber actors that include:
- Brute force techniques to identify valid account credentials for domain and M365 accounts and then use those credentials to gain initial access in networks.
- Spearphishing emails with links to malicious domains, to include using methods and techniques meant to bypass virus and spam scanning tools.
- Harvested credentials used in conjunction with known vulnerabilities to escalate privileges and gain remote code executions on exposed applications.
- Map the Active Directory and connect to domain controllers, which would enable credentials to be exfiltrated.
- Maintained persistent access, in multiple instances for at least six months, which is likely because the threat actors relied on possession of legitimate credentials enabling them to pivot to other accounts.
The FBI, NSA, and CISA urge all critical infrastructure organizations and CDCs to investigate suspicious activity in their enterprise and cloud environments. Also, all organizations, with or without evidence of compromise, are encouraged to apply the mitigations listed in the advisory to reduce the risk of compromise by this threat actor. Some of the specific actions that can be taken to protect against this malicious activity include: enforce multifactor authentication, enforce strong, unique passwords, enable M365 Unified Audit Logs, and implement endpoint detection and response tools.
In addition to this latest advisory on Russian state-sponsored malicious cyber activity, we encourage all organizations to review our new Shields Up webpage to find recommended actions on protecting their most critical assets from these threat actors.
Cybersecurity and Infrastructure Security Agency