With the help of the National Security Agency, cybersecurity researchers are revealing the ongoing efforts of these unidentified hackers to steal key data from US defense companies and other sensitive targets.
NSA and US Cybersecurity and Infrastructure Security Agency (CISA) officials are tracking the threat. A division of the NSA responsible for countering foreign cyber threats to the US defense industry contributed an analysis to the Palo Alto Networks report.
In this case, the hackers stole passwords from some target organizations in order to gain long-term access to these networks, Ryan Olson, a senior executive at Palo Alto Networks, told CNN. The intruders could then be well positioned to intercept sensitive data that is sent via email or stored on computer systems until it is ejected from the network.
Olson said the nine confirmed victims are the “spearhead” of the overt espionage campaign and he expects more victims to emerge. It is unclear who was responsible for the activity, but Palo Alto Networks said that some of the attackers’ tactics and tools overlapped with those of a suspected Chinese hacking group.
NSA and CISA did not want to comment on the identity of the hackers.
With their treasure trove of national security secrets, US defense companies are a recurring target for foreign hackers.
Cybersecurity firm Mandiant announced earlier this year that China-related hackers exploited another software vulnerability to breach defense, financial and public organizations in the US and Europe.
Any company doing business with the Pentagon could have a variety of defense contract data in their emails that could be of interest to overseas spies, said Olson, vice president of Unit 42 at Palo Alto Networks.
“Overall, having access to this information can be very valuable,” said Olson. “Even if it’s not secret information, even if it’s just information about how business is going.”
In the activity uncovered by Palo Alto Networks, the attackers exploited a vulnerability in software that companies use to manage their network passwords. CISA and the FBI warned the public in September that hackers were exploiting the software bug and urged companies to update their systems. Days later, the hackers tracked by Palo Alto Networks scanned 370 computer servers running the software in the United States alone and then began to exploit the software.
Olson encouraged companies using Zoho software to update their systems and check for signs of a security breach.
Federal officials told CNN the exposure of the hacking activity was evidence of their close collaboration with cybersecurity firms to keep threats under control.
CISA used an nascent public-private defense program to “understand, reinforce, and take action on identified activity in the Palo Alto Networks report,” said Eric Goldstein, executive assistant director, cybersecurity, CISA.
The exposure of the hacking campaign shows how the NSA is “delivering real-time effects to our partners and the nation’s defense,” Morgan Adamski, director of the agency’s Cybersecurity Collaboration Center, said in a statement to CNN.