State-sponsored actors backed by the Russian government regularly targeted the networks of several U.S. cleared defense contractors (CDCs) to acquire proprietary documents and other confidential information pertaining to the country’s defense and intelligence programs and capabilities.
The sustained espionage campaign is said to have commenced at least two years ago from January 2020, according to a joint advisory published by the U.S. Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA).
“These continued intrusions have enabled the actors to acquire sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology,” the agencies said. The acquired data provides valuable insight into U.S. weapon platforms development and deployment times, vehicle specifications and plans for communication infrastructure and information technology. “
Compromised entities are contractors who dabble in command and control, communications and combat systems, surveillance and reconnaissance, weapons and missile design, vehicle and aircraft designs, software development, data analysis, logistics, and logistic.
Threat actors use “common, but effective,” tactics to break into target networks, such as spear-phishing and credential harvesting. They also use password spray techniques and exploit of known vulnerabilities in VPN device VPNs to gain persistence and steal data.
Some vulnerabilities exploited by attackers to gain initial access and escalate privileges are listed below –
- CVE-2018-13379 (CVSS score: 9. 8) – Path traversal vulnerability in Fortinet’s FortiGate SSL VPN
- CVE-2020-0688 (CVSS score: 8. 8) – Microsoft Exchange validation key remote code execution vulnerability
- CVE-2020-17144 (CVSS score: 8. 4) – Microsoft Exchange remote code execution vulnerability
Many of the intrusions also involve gaining a foothold to enterprise and cloud networks, with the adversaries maintaining persistent access to the compromised Microsoft 365 environments for as long as six months to repeatedly harvest emails and data.
“As CDCs patch vulnerabilities in their networks, actors modify their tradecraft to gain new access,” explained the agencies. This activity requires that CDCs monitor for security vulnerabilities in software and update security configurations on internet-facing systems. “
Other malicious activities that were observed include the routine use and exfiltration of emails through the victim’s email system using virtual private servers (VPSs), as well legitimate credentials. However, the advisory does not name any Russian state actors.
“Over the last several years, Russian state-sponsored cyber actors have been persistent in targeting U.S. cleared defense contractors to get at sensitive information,” said Rob Joyce, director of NSA Cybersecurity. “Armed with insights like these, we can better detect and defend important assets together. “