Agencies Say Russian Hackers Targeting Defense ContractorsCISA, FBI and NSA Issue Advisory on Compromises of Defense Industrial Base
The U.S. Cybersecurity and Infrastructure Security Agency, along with the FBI and the National Security Agency, issued a joint advisory on Wednesday pointing to Russian state-sponsored activity against defense contractors.
In the advisory, U.S. officials say that over the last two years, related threat actors have compromised cleared defense contractors, or CDCs, supporting the U.S. Army, Air Force, Navy, Space Force and intelligence community programs. In some instances, persistence on the CDCs' networks lasted at least six months.
The officials say both large and small CDCs and subcontractors have been "targeted for unclassified proprietary and export-controlled information such as weapons development, communications infrastructure, technological and scientific research and other potentially sensitive details."
"Over the last several years, we have observed and documented a host of malicious activity conducted by Russian state-sponsored cyber actors targeting U.S. critical infrastructure," CISA Director Jen Easterly said in a statement. "Today’s joint advisory with our partners at FBI and NSA is the latest report to detail these persistent threats to our nation's safety and security. Everyone has a role to play to combat this and other Russian cyber threats, and we encourage all organizations of every size to take action to mitigate risks to their networks."
The Russian state-sponsored actors use some of the following tactics:
- Brute force techniques to identify valid account credentials for domain and Microsoft 365 accounts and using credentials to gain initial access;
- Spear-phishing emails with links to malicious domains to bypass virus and spam scanning tools;
- Harvested credentials and known vulnerabilities to escalate privileges and achieve remote code execution on exposed apps;
- Mapping Active Directory and connecting to domain controllers for credential exfiltration;
- Maintaining persistent access, likely by possessing legitimate credentials.
In the advisory, the agencies say "continued intrusions" have enabled the malicious actors to acquire sensitive, unclassified information, which includes insight into U.S. weapons development and deployment timelines, vehicle specifications and plans for communications infrastructure and IT.
Officials say the actors obtained internal documents and email communications, which may allow adversaries to "adjust their own military plans and priorities, hasten technological development efforts, inform foreign policymakers of U.S. intentions, and target potential sources for recruitment."
Commenting on the campaign, which was tracked from at least January 2020 to February 2022, Bryan Vorndran, assistant director of the FBI's Cyber Division, said in a statement: "The FBI, along with our partners at CISA and NSA, will continue to combat Russia's targeted cyber activity as it threatens different sectors in the U.S. We will actively pursue, prevent and disrupt these malicious actions as they attempt to impact Cleared Defense Contractor networks. We urge our private sector partners as well as the public to continue to implement good cyber hygiene practices to assist in mitigating these threats where possible."
The agencies warn CDCs to:
- Enable multifactor authentication for all users;
- Implement time-out and lock-out features;
- Configure time-based access for accounts set at the admin level and higher;
- Create a centralized log management system;
- Monitor remote access/Remote Desktop Protocol logs;
- Consider using a centralized patch management system;
- Ensure antivirus applications are installed, updated and monitored;
- Use endpoint detection and response tools;
- Apply the principle of least privilege and remove privileges not expressly required;
- Reduce the number of admin accounts and regularly audit them;
- Institute policy that disables remote interactive logins;
- Review existing trust relationships with IT service providers and remove those that are unnecessary;
- Update VPNs, network infrastructure devices and devices used for remote work;
- Provide end-user awareness and training.
'Component of Their Force Projection'
In their advisory, the agencies remind network defenders that over the last decade, Russian state-sponsored actors "have used cyber as a key component of their force projection, which includes disabling or destroying critical infrastructure."
Rob Joyce, director of cybersecurity at the NSA, says of the warning: "Russian state-sponsored cyber actors have been persistent in targeting U.S. cleared defense contractors. Armed with insights like these, we can better detect and defend important assets together."
Some security experts say Wednesday's alert is "particularly problematic" since cited adversaries maintained system access for six months or more.
"Given the history of espionage and the well-known need to have better detection and response capabilities, this amount of dwell time is unacceptable," says Rick Holland, a former intelligence analyst for the U.S. Army and current CISO for the security firm Digital Shadows. "The Biden administration's response is just one step in a long journey that requires executive action and bipartisanship across multiple administrations."
In the alert, the officials also point to CISA's "Shields Up" advisory, issued on Feb. 11, which warned U.S. organizations of potential Russian cyberattacks as part of retaliatory actions by the Kremlin should the U.S. or its Western allies intervene in the Ukraine border conflict (see: CISA Warns Orgs to Prep for Potential Russian Cyberattacks).
CISA's warning comes as Moscow has amassed some 100,000 troops along Ukraine's eastern border. U.S. officials fear the Russians may launch more direct cyberattacks against those who intervene in the crisis.
Russian President Vladimir Putin has sought to bar Ukraine from entering NATO, the intergovernmental military alliance, and NATO has rejected Putin's demand.
On Tuesday, U.S. President Joe Biden, in an address to the nation, warned that the U.S. is prepared to respond to any asymmetric attacks carried out by Russia - including cyberattacks on critical infrastructure.
As such, while CISA said it is not aware of "any specific credible threats to the U.S. homeland," the agency warned defenders to be "mindful of the potential for the Russian government to consider escalating its destabilizing actions in ways that may impact others outside of Ukraine."
CISA noted that it is working with critical infrastructure partners to "ensure awareness of potential threats." The nation's operational cyber agency also advised all organizations to adopt a "heightened posture."
Following a seemingly mild escalation in rhetoric over the weekend, Putin said earlier this week that he intended to draw down some of his troops at the border. But British Prime Minister Boris Johnson tweeted on Tuesday that his intelligence suggested otherwise.
Also on Tuesday, reports of an apparent DDoS attack on Ukrainian websites surfaced - reportedly affecting the country's Ministry of Defense, which supports its armed forces, along with several state banks (see: Report: Cyberattack Hits Ukrainian Defense Ministry, Banks).
Also, following debate over whether members of the defense industrial base needed to obtain third-party security audits, the U.S. Department of Defense last week leaned toward stringent checks for its Cybersecurity Maturity Model Certification program, Federal News Network reported. Debate had been ongoing, since officials have urged the DOD to remain transparent around routine documents, while at the same time charging it with security over critical military information.