The Federal Bureau of Investigation (FBI), Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) have joined forces to publish a joint warning that Russian hackers have targeted defence contractors to steal sensitive data.
According to an advisory issued by the US authorities, Russian state-sponsored hackers have been regularly observed targeting US cleared defence contractors (CDCs) since at least January 2020, acquiring "sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology".
The stolen information includes internal documents and email communications, and - according to the advisory - "provides significant insight into US weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology".
According to the US authorities, targeted industries include weapons and missile development, vehicle and aircraft design, software development and information technology, data analytics, and logistics.
The hacking techniques used in the attacks appear to be basic but effective, typically taking advantage of spear phishing, brute force attacks, and credential harvesting.
In addition, cyber criminals have been spotted exploiting known vulnerabilities in enterprise and VPN software to break their way into systems.
Information exfiltrated from the hacked organisations includes:
- Email communications
- Contract details
- Product development
- Tests and timelines
- Foreign partnerships
With such stolen data in its hands, an adversary "may be able to adjust their own military plans and priorities, hasten technological development efforts, inform foreign policymakers of US intentions, and target potential sources for recruitment," according to the advisory.
That sounds to me that the criminals managed to make off with some pretty valuable information from defence contractors.
As a consequence, the FBI, CISA, and NSA are encouraging all CDCs, who support the US Army, US Air Force, US Navy, US Space Force, and DoD and Intelligence programs, to apply a series of recommended mitigations, regardless of whether they found have found any evidence of their own systems being compromised.
The advice? Enable multi-factor authentication, enforce the use of strong and unique passwords, reduce credential exposure with virtualization solutions, introduce account lockout and time-based access features, apply the principle of least privilege, train staff in best practices, and establish centralised log management.
This alongside well-trodden advice such as keeping software patched and up-to-date can all play a part in making it more difficult for an attacker to gain unauthorised access to a system.
"Kudos to CISA for including meaningful mitigations in this advisory. Unfortunately, as is often the case with changes in the threat landscape, the risk mitigation actions are all relatively complex to implement. While these mitigations are core security controls that organizations should be implementing already, it's important that we not let the perfect be the enemy of the good," said Tripwire’s VP of Strategy, Tim Erlin. "It’s possible to gain incremental benefit from incremental implementation. Cleared Defense Contractors should use the list of mitigations in the advisory as a checklist to identify areas of improvement that they can prioritize."
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.