[BreachExchange] US agencies detail two-year Russian campaign targeting defense contractors

Wed Feb 16 13:55:08 EST 2022

https://www.scmagazine.com/analysis/apt/us-agencies-detail-two-year-russian-campaign-targeting-defense-contractors

As Western policymakers grapple with how to interpret promising signs of
potential deescalation in the Russia/Ukraine conflict, U.S. cybersecurity
agencies continue to warn private industry and defense contractors to be on
guard for potential Russian hacking campaigns.

The latest missive is a joint advisory Wednesday from the Cybersecurity and
Infrastructure Security Agency, the FBI and the NSA detailing how Russian
hackers have been persistently targeting cleared U.S. defense contractors
over the past two years. In particular, the campaign targets companies
responsible for supporting U.S. military and intelligence capabilities,
including providing weapons and missile development, software development
and logistics, command, control, communications and combat systems,
intelligence, surveillance reconnaissance and targeting and vehicle and
aircraft design.

While Russian APTs are known for developing custom malware and novel attack
paths, these threat actors aren’t doing anything particularly sophisticated
to get into contractor systems, relying on standbys like spearphishing,
brute force password cracking, credential harvesting and previously
disclosed vulnerabilities. Compromising cloud environments and Microsoft
365 are among the environments they have prioritized.

“These actors take advantage of simple passwords, unpatched systems, and
unsuspecting employees to gain initial access before moving laterally
through the network to establish persistence and exfiltrate data,” the
agencies wrote.

The agencies claim these effort have resulted in the exfiltration and theft
of what is known as controlled unclassified information — data around
ongoing contracts and projects that fall below short of classification but
contain proprietary trade secrets that contractors are still required to
secure — that has provided the Russian government with “significant insight
into U.S. weapons platform development and deployment timelines, vehicle
specifications and plans for communications infrastructure and information
technology.”

This kind of cyberespionage is common, though the agencies say this
particular campaign has been ongoing since at least January 2020 and
remains ongoing today. They’re not one off or temporary either: some of the
actors were in contractor networks for up to six months, and the
information stolen includes data from contractors supporting the U.S. Army,
Navy, Air Force, Space Force and intelligence agencies.

“Although the actors have used a variety of malware to maintain
persistence, the FBI, NSA, and CISA have also observed intrusions that did
not rely on malware or other persistence mechanisms,” the agencies noted.
“In these cases, it is likely the threat actors relied on possession of
legitimate credentials for persistence, enabling them to pivot to other
accounts, as needed, to maintain access to the compromised environments.”

How best to treat controlled unclassified information remains an ongoing
question that the Department of Defense has struggled to answer. On the one
hand, intelligence officials and lawmakers have repeatedly criticized the
overclassification of otherwise routine documents and the negative impact
it has on both national security and public transparency. On the other,
officials have argued for years that the relentless theft of such
controlled unclassified data has contributed to the material degradation of
U.S. military advantage over countries like Russia and China.

The DoD is currently attempting to set up a certification program that
would provide some form of auditing over the cybersecurity practices of
defense contractors. But the program, called the Cybersecurity Maturity
Model Certification, has gone through multiple iterations and restarts as
Pentagon officials grapple with how stringent to make the requirements.

Initially the department envisioned that the vast majority of the 200,000
to 300,000 members of the defense industrial base would need independent
audits from a third party showing that they were implementing cybersecurity
controls spelled out in federal contracts. That plan received substantial
pushback from the contractor community, while DoD officials have fretted
that the requirements could shrink the defense industrial base too much and
deny the military the ability to work with small or innovative businesses.

Last year, DoD rolled out “CMMC 2.0,” which attempted to simplify the
different levels of certification and allow large chunks of the contractor
base to continue self-certifying that they were following digital security
requirements. That plan was walked back just last week when DoD officials
acknowledged that, because many contractors are expected to have some nexus
to controlled unclassified information, they would almost all need
independent third-party assessments after all.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220216/4ed76fc9/attachment.html>