‘Russian state-sponsored cyber actors’ cited in hacks of U.S. defense contractors

Written by

For more than two years, “Russian state-sponsored cyber actors” have targeted the emails and other data of U.S. defense contractors that handle sensitive information about weapons development, computer systems, intelligence-gathering technology and more, the federal government warned Wednesday.

The alert from the Cybersecurity and Infrastructure Security Agency said cleared defense contractors (CDCs) are the primary victims of the breaches. Those companies are authorized by the Department of Defense to access, receive and store classified information as part of their contracting work. The alert does not say whether classified information was accessed.

The attackers, however, have been able to “acquire sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology,” the alert said, by focusing on “enterprise and cloud networks, prioritizing their efforts against the widely used Microsoft 365 (M365) environment.”

“The acquired information provides significant insight into U.S. weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology,” CISA said. “By acquiring proprietary internal documents and email communications, adversaries may be able to adjust their own military plans and priorities, hasten technological development efforts, inform foreign policymakers of U.S. intentions, and target potential sources for recruitment.”

CISA Director Jen Easterly and Bryan Vorndran, the assistant director of the FBI’s Cyber Division, urged contractors to use good cyber-hygiene and report suspicious activity as the government works on the case.

“Everyone has a role to play to combat this and other Russian cyber threats, and we encourage all organizations of every size to take action to mitigate risks to their networks,” Easterly said in a news release.

A two-year run

The intrusions began around January 2020 and continued into this month, CISA said. The cybersecurity agency, the FBI and the National Security Agency all observed the activity.

“For example, during a compromise in 2021, threat actors exfiltrated hundreds of documents related to the company’s products, relationships with other countries, and internal personnel and legal matters,” CISA said.

Attack methods included “brute force techniques” to acquire credentials to M365 accounts; sending spearphishing emails with links to malicious domains; and using credential-harvesting techniques that exploited public-facing applications like virtual private network (VPN) software.

“As CDCs find and patch known vulnerabilities on their networks, the actors alter their tradecraft to seek new means of access,” CISA said. “This activity necessitates CDCs maintain constant vigilance for software vulnerabilities and out-of-date security configurations, especially in internet-facing systems.”

The alert urges contractors to keep reliable logs of activity, patch known vulnerabilities, reset passwords for all local accounts and enable multifactor authentication (MFA) “for all users, without exception.” CISA recommends improving cybersecurity tools wherever possible, too.

The U.S. blamed Russian state-sponsored hackers in the compromise of software company SolarWinds, another incident that appeared to be targeted at large-scale data theft from U.S. interests. In Wednesday’s alert, CISA pointed companies to its existing guidance for evicting “advanced persistent threat (APT) actors from cloud and enterprise environments,” issued after the SolarWinds incident came to light.

The value of sensitive but unclassified information in general has been a top concern for DOD officials. The Pentagon is currently trying to roll out the Cybersecurity Maturity Model Certification program, which is intended to push contractors to improve how they handle their networks, in part by subjecting them to third-party review. The contract requirements are still in the rule-making process, and officials say they expect the program to take several years to roll out.

CISA issued a separate alert in January about potential threats to U.S. infrastructure by Russian nation-state hacking groups, as Russia began its military buildup on Ukraine’s borders. In the context of that conflict, President Joe Biden said Tuesday that if “Russia attacks the United States or our allies through asymmetric means, like disruptive cyberattacks against our companies or critical infrastructure, we’re prepared to respond.”

Russian APT groups include APT28, or Fancy Bear, commonly associated with Russia’s GRU intelligence agency, and APT29, or Cozy Bear, which security researchers have linked with Russia’s Foreign Intelligence Service (SVR). CISA pointed readers of Wednesday’s alert to a $10 million reward, posted by the U.S. State Department, for information leading to the identification or location of anyone associated “malicious cyber activities against U.S. critical infrastructure.”

Jackson Barnett contributed to this story.