For at least the last two years Russian state-sponsored actors have been targeting and compromising the networks of large and small defense companies whose networks carry classified information, a trio of U.S. agencies warned on Wednesday.
The result has been the theft of proprietary data and information controlled by export restrictions, says the Cybersecurity Advisory (Alert AA-22-047), issued by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency, the FBI and National Security Agency.
Specifically, the threat actors have targeted cleared defense contractors (CDCs) supporting the Defense Department and intelligence community in the areas of command, control, communications, and combat systems; intelligence, surveillance, reconnaissance and targeting; weapons and missile development; vehicle and aircraft design; software development, data analytics, computers, and logistics.
The agencies say they have observed these activities by the Russian actors since at least January 2020, adding that compromised companies work on programs supporting the Army, Air Force, Navy, Space Force, DoD and intelligence.
The cyber espionage has resulted in persistent access to contractor networks, sometimes lasting at least six months, and in cases of successful access the bad actors have taken emails and data about contracts, product development, tests and timelines, foreign partnerships and funding, the advisory says.
“For example, during a compromise in 2021, threat actors exfiltrated hundreds of documents related to the company’s products, relationships with other countries, and internal personnel and legal matters,” says the advisory.
The stolen data includes unclassified information proprietary to CDCs that is sensitive.
“This theft has granted the actors significant insight into U.S. weapons platforms development and deployment timelines, plans for communications infrastructure, and specific technologies employed by the U.S. government and military,” the agencies say. “Although many contract awards and descriptions are publicly accessible, program developments and internal company communications remain sensitive. Unclassified emails among employees or with government customers often contain proprietary details about technological and scientific research, in addition to program updates and funding statuses.”
Jen Easterly, the director of CISA, in a statement urged all organizations, regardless of size, to take action to reduce threats to their networks.
The tactics and techniques being used against CDCs by the Russian state-sponsored actors are the same as ever, the advisory says, and include brute force methods, spearphishing, harvested credentials, and known vulnerabilities. They are “common but effective tactics to gain access to target networks,” it says.
Recommended actions to thwart the bad actors include enforcing multi-factor authentication and strong and unique passwords, enable Microsoft [MSFT] 365 unified audit logs, and deploy endpoint detection and response tools.