The Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI) and
the National Security Agency (NSA), issued a joint Cybersecurity
Advisory titled, “Russian State-Sponsored Cyber Actors
Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense
Information and Technology.” Compromised
entities have included cleared defense contractors (CDCs) supporting the U.S.
Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and Intelligence Community
programs.
Over the last two years, both large and small CDCs and
subcontractors supporting various defense industries have been observed being
targeted for unclassified proprietary and export-controlled information such as
weapons development, communications infrastructure, technological and
scientific research, and other proprietary details. In the advisory, the three
agencies outline the activities and tactics used by the Russian state-sponsored
cyber actors that include:
- Brute force techniques to identify valid
account credentials for domain and M365 accounts and then use those
credentials to gain initial access in networks. - Spearphishing emails with
links to malicious domains, to include using methods and techniques meant
to bypass virus and spam scanning tools. - Harvested credentials used in conjunction
with known vulnerabilities to escalate privileges and gain remote code
executions on exposed applications. - Map the Active Directory and connect to
domain controllers, which would enable credentials to be
exfiltrated. - Maintained persistent access, in multiple
instances for at least six months, which is likely because the threat
actors relied on possession of legitimate credentials enabling them to
pivot to other accounts.
The FBI, NSA, and CISA urge all critical infrastructure
organizations and CDCs to investigate suspicious activity in their
enterprise and cloud environments. Also, all organizations, with or
without evidence of compromise, are encouraged to apply the mitigations listed
in the advisory to reduce the risk of compromise by this threat actor. Some of
the specific actions that can be taken to protect against this malicious
activity include: enforce multifactor authentication, enforce strong, unique
passwords, enable M365 Unified Audit Logs, and implement endpoint detection and
response tools.
The agency maintains a dedicated webpage that
provides an overview of the Russian government’s malicious cyber
activities. Read the full advisory here and we encourage you to share
this information.
In addition to this latest advisory on Russian
state-sponsored malicious cyber activity, we encourage all
organizations to review our new Shields Up webpage to
find recommended actions on protecting their most critical assets from
these threat actors.
Cybersecurity
and Infrastructure Security Agency