A new cybersecurity advisory from the Federal government’s top cybersecurity watchdogs says that Russian state-sponsored hackers have compromised numerous defense industrial base (DIB) contractors both large and small over the past two years, and warns about the extensive bag of tricks that those hackers use when they target defense contractors.
The Feb. 16 advisory from the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the National Security Agency (NSA) doesn’t break specific news about DIB hacks but openly admits to the success of some of those attack efforts.
“Over the last two years, compromised entities have included cleared defense contractors (CDCs) supporting the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and Intelligence Community programs,” CISA, FBI, and NSA said.
“In the past several years, both large and small CDCs and subcontractors supporting various defense industries have been observed being targeted for unclassified proprietary and export-controlled information such as weapons development, communications infrastructure, technological and scientific research, and other potentially sensitive details,” the agencies said.
The three agencies said they “strongly encourage organizations to apply recommended mitigation steps to reduce risk of compromise.”
The agencies’ call-out of Russia-backed hacking threats comes amid two separate but related developments:
- The first is the Pentagon’s latest evolution in thinking about a wider reach for its Cybersecurity Maturity Model Certificate 2.0 program; and
- Independent reporting today about Ukrainian banking and government institutions falling victim to cyber incursions, presumably from Russia.
CISA, FBI, and NSA listed out some of the top techniques employed by the Russian state-sponsored hackers, which already are well known to security experts:
- “Brute force techniques to identify valid account credentials for domain and M365 accounts and then use those credentials to gain initial access in networks;
- Spearphishing emails with links to malicious domains, to include using methods and techniques meant to bypass virus and spam scanning tools;
- Using harvested credentials used in conjunction with known vulnerabilities to escalate privileges and gain remote code executions on exposed applications;
- Mapping Active Directory and connecting to domain controllers, which would enable credentials to be exfiltrated; and
- Maintained persistent access, in multiple instances for at least six months, which is likely because the threat actors relied on possession of legitimate credentials enabling them to pivot to other accounts.”
“Over the last several years, we have observed and documented a host of malicious activity conducted by Russian state-sponsored cyber actors targeting U.S. critical infrastructure,” CISA Director Jen Easterly said in a statement. “Today’s joint advisory with our partners at FBI and NSA is the latest report to detail these persistent threats to our nation’s safety and security.
The three agencies said they “urge all CDCs to investigate suspicious activity in their enterprise and cloud environments,” and work to mitigate threats through well-known means including the use of multifactor authentication, quick patching, use of unique passwords, enabling M365 unified audit logs, and implementing endpoint detection and response tools.