It’s claimed that a two-year campaign by Russian state-sponsored entities to steal data from US military contractors has been successful.
Russia has been able to steal data from the US, CISA claims
On Wednesday, the federal government’s Cybersecurity and Infrastructure Security Agency (CISA) claimed that Russia’s cyber-sleuths had obtained “significant insight into US weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology.”
The intruders, according to the Agency, removed sensitive and unclassified email and papers as well as data on proprietary and export-controlled technology.
CISA’s announcement states that:
“From at least January 2020, through February 2022, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) have observed regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors.”
By the way, 150,000 Russian troops have gathered near Ukraine’s borders, and American officials believe an invasion is forthcoming. Russia maintains that it will not do so, while world leaders are attempting to solve the issue through diplomacy.
It is claimed that the intruders did not employ innovative methods to access the networks of US military contractors. According to CISA, the tools used by Kremlin-backed cyber-attackers include well-established strategies such as spearphishing, credential gathering, password cracking, etc.
Microsoft 365 was the primary target of the attackers, who sought to compromise it by attacking its productivity apps and complementary cloud services.
The intruders’ prize appears to have been M365 credentials, which they utilized to remain hidden inside defense contractors for months at a time. Those penetrations were frequently missed.
“In one case, the actors used valid credentials of a global admin account within the M365 tenant to log into the administrative portal and change permissions of an existing enterprise application to give read access to all SharePoint pages in the environment, as well as tenant user profiles and email inboxes.”
The following month, hackers launched a series of attacks focused on CVE-2018-13379, a hole in Fortinet’s FortiGate SSL VPN discovered in May 2019.
CISA also shared a guideline covering measures against such attacks.
Organizations with evidence of compromise should assume full identity compromise and initiate a full identity reset.
Basic measures include running antivirus software, utilizing strong passwords, and using multi-factor authentication. Enforcing the principle of least access is also suggested.
CISA’s proposals call for a thorough examination of trust connections, including those with cloud service providers.
CISA has not yet concluded its investigation. A $10 million reward is dangling for more information on Russian incursion activity:
“If you have information on state-sponsored Russian cyber operations targeting U.S. critical infrastructure, contact the Department of State’s Rewards for Justice Program. You may be eligible for a reward of up to $10 million, which the Department is offering for information leading to the identification or location of any person who, while acting under the direction or control of a foreign government, participates in malicious cyber activity against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).”
