A new cybersecurity advisory from the federal government’s top cybersecurity watchdog says Russian state-sponsored hackers have compromised numerous Defense Industrial Base (DIB) contractors large and small over the past two years, and warns of the extensive bag of tricks these hackers employ when they enter defense contractors take sight.
The February 16 advisory by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the National Security Agency (NSA) does not bring any concrete news about DIB hacks, but openly acknowledges the success of some of these attack efforts.
“Over the past two years, organizations compromised have included Cleared Defense Contractors (CDCs) that support U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and intelligence community programs,” said CISA, FBI, and NSA.
“In recent years, it has been observed that both large and small CDCs and subcontractors supporting various defense industries have been targeted for unclassified proprietary and export-controlled information such as weapons development, communications infrastructure, technological and scientific research, and other potentially sensitive details. ‘ the agencies said.
The three agencies said they “strongly encourage organizations to apply recommended mitigation steps to reduce the risk of compromise.”
The authorities’ call on the Russian-backed hacking threats comes amid two separate but related developments:
- The first is the Pentagon’s recent evolution in expanding its reach for its Cybersecurity Maturity Model Certificate 2.0 program; and
- Independent reporting today on Ukrainian banks and government institutions that have been victims of cyber attacks, presumably from Russia.
CISA, FBI and NSA have listed some of the best techniques used by the Russian state sponsored hackers that are already well known to security professionals:
- “Brute force techniques to identify valid domain and M365 account credentials and then use those credentials to gain initial access on networks;
- Spearphishing emails with links to malicious domains, including using methods and techniques to evade virus and spam scanning tools;
- Using collected credentials in conjunction with known vulnerabilities to escalate privileges and gain remote code executions for exposed applications;
- Mapping Active Directory and connecting to domain controllers, which could exfiltrate credentials; and
- Persistent access maintained for at least six months in multiple instances, likely because attackers relied on possession of legitimate credentials that would allow them to switch accounts to other accounts.”
“In recent years, we have observed and documented a variety of malicious activities by Russian state-sponsored cyber actors targeting U.S. critical infrastructure,” CISA Director Jen Easterly said in a statement. “Today’s joint deliberation with our partners at the FBI and NSA is the latest report detailing these ongoing threats to our nation’s safety and security.
The three agencies said they “urge all CDCs to investigate suspicious activity in their enterprise and cloud environments” and are working to mitigate threats through known means, including using multi-factor authentication, rapid patching, using unique Passwords and enablement of M365 Unified Audit logs and implementation of endpoint detection and response tools.