It is known from at least January 2020, through February 2022, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) have observed regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors. The actors leverage access to CDC networks to obtain sensitive data about U.S. defense and intelligence programs and capabilities. Compromised entities have included CDCs supporting the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and DoD and Intelligence programs.
Within the last 2 years, these actors have maintained constant access to multiple CDC networks. In instances when the actors have successfully obtained access, the FBI, NSA, and CISA have noted regular and recurring exfiltration of emails and data. The threat actors have acquired unclassified CDC-proprietary and export-controlled information. This theft has granted the actors significant insight into U.S. weapons platforms development and deployment timelines, plans for communications infrastructure, and specific technologies employed by the U.S. government and military. Unclassified emails among employees or with government customers often contain proprietary details about technological and scientific research, in addition to program updates and funding statuses.
Russian state-sponsored cyber actors use brute force methods, spearphishing, harvested credentials, and known vulnerabilities to gain initial access to CDC networks.
- Brute force- Threat actors use brute force techniques to identify valid account credentials for domain and M365 accounts. After obtaining domain credentials, the actors use them to gain initial access to the networks.
- Spearphising- Threat actors send spearphishing emails with links to malicious domains and use publicly available URL shortening services to mask the link. The technique often promotes a false legitimacy to the email recipient, increasing the probability of a victim’s clicking on the link.
- Harvested credentials- The threat actors use harvested credentials in conjunction with known vulnerabilities. In addition, threat actors have exploited on FortiClient to obtain credentials to access networks.
- Known vulnerabilities– As CDCs find and patch known vulnerabilities on their networks, the actors alter their tradecraft to seek new means of access. This activity necessitates CDCs maintain vigilance for software vulnerabilities and out-of-date security configurations, especially in internet-facing systems.
The FBI, NSA, and CISA urge all CDCs to investigate suspicious activity in their enterprise and cloud environments. This should be a message to all organizations to tighten their security posture. Below is a list of best practices recommended by FBI, NSA, and CISA.
- Implement robust log collection and retention
- Look for Evidence of Known TTPs
- Implement Credential Hardening
- Enable Multifactor Authentication
- Enforce Strong, Unique Passwords
- Introduce Account Lockout and Time-Based Access Features
- Reduce Credential Exposure
- Establish Centralized Log Management
- Initiate a Software and Patch Management Program
- Employ Antivirus Programs
- Use Endpoint Detection and Response Tools
- These tools allow a high degree of visibility into the security status of endpoints and can be an effective defense against threat actors. EDR tools are particularly useful for detecting lateral movement, as they have insight into common and uncommon network connections for each host.
- Maintain Rigorous Configuration Management Programs
- Audit configuration management programs to ensure they can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses. Having a robust configuration program hinders sophisticated threat operations by limiting the effectiveness of opportunistic attacks.
- Enforce the Principle of Least Privilege
- Review Trust Relationships
- Review existing trust relationships with IT service providers, such as managed service providers (MSPs) and cloud service providers (CSPs). Threat actors are known to exploit trust relationships between providers and their customers to gain access to customer networks and data.
- Encourage Remote Work Environment Best Practices
- With the increase in remote work and use of VPN services due to COVID-19, the FBI, NSA, and CISA encourage regularly monitoring remote network traffic, along with employing the following best practices.
- Establish User Awareness Best Practices