Russian hackers compromised defense contractors in the last two years and gained access to sensitive information, according to U.S. intelligence and security agencies.
The FBI, National Security Agency (NSA), and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) said in a joint cybersecurity alert they observed “regular targeting” of cleared defense contractors (CDCs) by Russian state-sponsored threat actors from January 2020 to February 2022.
The agencies warned that the nation-state attackers acquired sensitive information on weapons development, communications, and infrastructure. They believe that Russia could use this information to strategize its military and hasten technological advancement.
Russian hackers used common but effective tactics to compromise defense contractors
Russian hackers use time-tested tactics like they have done in the past to compromise defense contractors’ networks. These tactics include spear phishing, credential harvesting, brute force or password spraying attacks, and exploiting known vulnerabilities. The FBI, NSA, and CISA had issued another cybersecurity advisory on Russian hackers conducting brute-force campaigns on cloud environments.
In recent attacks, Russian hackers focused on compromising Office 365 environments, used legitimate credentials to maintain persistence, and deployed various malware to exfiltrate data.
They used URL shortening services to mask malicious domains and exploited known vulnerabilities such as CVE-2020-0688, CVE-2020-17144, and CVE-2018-13379 to harvest credentials.
They also used virtual private servers (VPSs) as encrypted proxies and SOHO devices as operational nodes to obscure their activity.
The FBI, NSA, and CISA observed “regular and recurring exfiltration or emails and data,” with Russian hackers maintaining persistence for at least six months in some cases. Russian hackers “did not rely on malware or other persistence mechanisms” to maintain their foothold on compromised networks, according to the security agencies.
Russian hackers accessed export-controlled technology by hacking defense contractors
The security agencies warned that Russian hackers accessed sensitive information, unclassified information, and CDC-proprietary and export-controlled technology. This information pertains to all U.S. military branches, including the Air Force, Navy, Army, and Space Force.
The targeted defense contractors support the Department of Defense (DoD) and intelligence services in various capacities. Their roles include controlling and commanding combat systems and communications and intelligence and information gathering. Additionally, they support the U.S. military in weapons development, vehicle and aircraft design, software development, and analytics.
The alert stated that Russian hackers obtained hundreds of documents on defense contractors’ products, legal matters, internal personnel, and relationships with other countries.
The agencies believe that the information provides the Russian government with insight into the U.S. weapons platforms, communications infrastructure and information technology plans, vehicle specifications, and deployment timelines.
“By acquiring proprietary internal documents and email communications, adversaries may be able to adjust their own military plans and priorities, hasten technological development efforts, inform foreign policymakers of U.S. intentions, and target potential sources for recruitment,” CISA wrote.
The security agencies also predicted that Russian hackers would continue targeting defense contractors to access the valuable information they possess. They advised network defenders working with the defense contractors to apply mitigations regardless of evidence of compromise.
Addressing the issue
The agencies recommended credential hardening techniques such as multi-factor authentication, lockout features for failed logins, strong password requirements, and password management solutions.
Additionally, they advised organizations to implement patch management programs, endpoint detection tools, least privilege principles, robust configuration management plans, and use anti-virus programs.
U.S. agencies have frequently reported suspected Russian intrusion into federal and defense networks. However, U.S. Senate Armed Service Committee Chair Democratic Sen. Jack Reed told CNN that both sides were involved in “the compromise of intelligence” and that the U.S. had a “very active cyber operation” against Russia. He added that the U.S. Cyber Command was on high alert to counter Russian hacking and even assist Ukraine in the cybersphere.
U.S. President Joe Biden earlier met with his Russian counterpart Vladimir Putin in June 2021 and discussed 16 critical infrastructure entities that the U.S. considers off-limits. However, Russia continually denies sponsoring cyberattacks against U.S. agencies, with Putin claiming that most cyberattacks originated from the U.S. He also accused the U.S. of refusing to cooperate.