US says Russian state hackers lurked in defense contractor networks for months

By | February 16, 2022
Cartoon padlock and broken glass superimposed on a Russian flag.
Enlarge / What’s happened to Russia’s flag?

Hackers backed by the Russian government have breached the networks of multiple US defense contractors in a sustained campaign that has revealed sensitive information about US weapons-development communications infrastructure, the federal government said on Wednesday.

The campaign began no later than January 2020 and has continued through this month, according to a joint advisory by the FBI, National Security Agency, and the Cybersecurity and Infrastructure Security Agency. The hackers have been targeting and successfully hacking cleared defense contractors, or CDCs, which support contracts for the US Department of Defense and intelligence community.

“Persistent access,” “significant insight”

“During this two-year period, these actors have maintained persistent access to multiple CDC networks, in some cases for at least six months,” officials wrote in the advisory. “In instances when the actors have successfully obtained access, the FBI, NSA, and CISA have noted regular and recurring exfiltration of emails and data. For example, during a compromise in 2021, threat actors exfiltrated hundreds of documents related to the company’s products, relationships with other countries, and internal personnel and legal matters.”

The exfiltrated documents have included unclassified CDC-proprietary and export-controlled information. This information gives the Russian government “significant insight” into US weapons-platforms development and deployment timelines, plans for communications infrastructure, and specific technologies being used by the US government and military. The documents also include unclassified emails among employees and their government customers discussing proprietary details about technological and scientific research.


The advisory said:

These continued intrusions have enabled the actors to acquire sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology. The acquired information provides significant insight into U.S. weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology. By acquiring proprietary internal documents and email communications, adversaries may be able to adjust their own military plans and priorities, hasten technological development efforts, inform foreign policymakers of U.S. intentions, and target potential sources for recruitment. Given the sensitivity of information widely available on unclassified CDC networks, the FBI, NSA, and CISA anticipate that Russian state-sponsored cyber actors will continue to target CDCs for U.S. defense information in the near future. These agencies encourage all CDCs to apply the recommended mitigations in this advisory, regardless of evidence of compromise.

Spear-phishing, hacked routers, and more

The hackers have used a variety of methods to breach their targets. The methods include harvesting network passwords through spear-phishing, data breaches, cracking techniques, and exploitation of unpatched software vulnerabilities. After gaining a toehold in a targeted network, the threat actors escalate their system rights by mapping the Active Directory and connecting to domain controllers. From there, they’re able to exfiltrate credentials for all other accounts and create new accounts.

The hackers make use of virtual private servers to encrypt their communications and hide their identities, the advisory added. They also use “small office and home office (SOHO) devices, as operational nodes to evade detection.” In 2018, Russia was caught infecting more than 500,000 consumer routers so the devices could be used to infect the networks they were attached to, exfiltrate passwords, and manipulate traffic passing through the compromised device.

These techniques and others appear to have succeeded.

“In multiple instances, the threat actors maintained persistent access for at least six months,” the joint advisory stated. “Although the actors have used a variety of malware to maintain persistence, the FBI, NSA, and CISA have also observed intrusions that did not rely on malware or other persistence mechanisms. In these cases, it is likely the threat actors relied on possession of legitimate credentials for persistence, enabling them to pivot to other accounts, as needed, to maintain access to the compromised environments.”

The advisory contains a list of technical indicators admins can use to determine if their networks have been compromised in the campaign. It goes on to urge all CDCs to investigate suspicious activity in their enterprise and cloud environments.