It is known from at least January 2020, through February 2022, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) have observed regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors. The actors leverage access to CDC networks to obtain sensitive data about U.S. defense and intelligence programs and capabilities. Compromised entities have included CDCs supporting the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and DoD and Intelligence programs.
Within the last 2 years, these actors have maintained constant access to multiple CDC networks. In instances when the actors have successfully obtained access, the FBI, NSA, and CISA have noted regular and recurring exfiltration of emails and data. The threat actors have acquired unclassified CDC-proprietary and export-controlled information. This theft has granted the actors significant insight into U.S. weapons platforms development and deployment timelines, plans for communications infrastructure, and specific technologies employed by the U.S. government and military. Unclassified emails among employees or with government customers often contain proprietary details about technological and scientific research, in addition to program updates and funding statuses.
Initial Actions:
Russian state-sponsored cyber actors use brute force methods, spearphishing, harvested credentials, and known vulnerabilities to gain initial access to CDC networks.
Brute force- Threat actors use brute force techniques to identify valid account credentials for domain and M365 accounts. After obtaining domain credentials, the actors use them to gain initial access to the networks.
Spearphising- Threat actors send spearphishing emails with links to malicious domains and use publicly available URL shortening services to mask the link. The technique often promotes a false legitimacy to the email recipient, increasing the probability of a victim’s clicking on the link.
Harvested credentials- The threat actors use harvested credentials in conjunction with known vulnerabilities. In addition, threat actors have exploited on FortiClient to obtain credentials to access networks.
Known vulnerabilities– As CDCs find and patch known vulnerabilities on their networks, the actors alter their tradecraft to seek new means of access. This activity necessitates CDCs maintain vigilance for software vulnerabilities and out-of-date security configurations, especially in internet-facing systems.
Best Practices:
The FBI, NSA, and CISA urge all CDCs to investigate suspicious activity in their enterprise and cloud environments. This should be a message to all organizations to tighten their security posture. Below is a list of best practices recommended by FBI, NSA, and CISA.
Implement robust log collection and retention
Look for Evidence of Known TTPs
Implement Credential Hardening
Enable Multifactor Authentication
Enforce Strong, Unique Passwords
Introduce Account Lockout and Time-Based Access Features
Reduce Credential Exposure
Establish Centralized Log Management
Initiate a Software and Patch Management Program
Employ Antivirus Programs
Use Endpoint Detection and Response Tools
These tools allow a high degree of visibility into the security status of endpoints and can be an effective defense against threat actors. EDR tools are particularly useful for detecting lateral movement, as they have insight into common and uncommon network connections for each host.
Audit configuration management programs to ensure they can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses. Having a robust configuration program hinders sophisticated threat operations by limiting the effectiveness of opportunistic attacks.
Enforce the Principle of Least Privilege
Review Trust Relationships
Review existing trust relationships with IT service providers, such as managed service providers (MSPs) and cloud service providers (CSPs). Threat actors are known to exploit trust relationships between providers and their customers to gain access to customer networks and data.
Encourage Remote Work Environment Best Practices
With the increase in remote work and use of VPN services due to COVID-19, the FBI, NSA, and CISA encourage regularly monitoring remote network traffic, along with employing the following best practices.
Sapphire AIDorem ipsum dolor sit amet, consectetur adipiscing elit.
Cerulean XDR AgentDorem ipsum dolor sit amet, consectetur adipiscing elit.
SIEMDorem ipsum dolor sit amet, consectetur adipiscing elit.
Cloud SecurityDorem ipsum dolor sit amet, consectetur adipiscing elit.
Cyber Risk ScoreDorem ipsum dolor sit amet, consectetur adipiscing elit.
M356 Security MonitorDorem ipsum dolor sit amet, consectetur adipiscing elit.
FinancialDorem ipsum dolor sit amet, consectetur adipiscing elit.
HealthcareDorem ipsum dolor sit amet, consectetur adipiscing elit.
ManufacturingDorem ipsum dolor sit amet, consectetur adipiscing elit.
Critical InfrastructureDorem ipsum dolor sit amet, consectetur adipiscing elit.
TechnologyDorem ipsum dolor sit amet, consectetur adipiscing elit.
BlogDorem ipsum dolor sit amet, consectetur adipiscing elit.
Agile TakesDorem ipsum dolor sit amet, consectetur adipiscing elit.
Case StudiesDorem ipsum dolor sit amet, consectetur adipiscing elit.
NewsroomDorem ipsum dolor sit amet, consectetur adipiscing elit.
WhitepapersDorem ipsum dolor sit amet, consectetur adipiscing elit.
WebinarsDorem ipsum dolor sit amet, consectetur adipiscing elit.
Sapphire AIDorem ipsum dolor sit amet, consectetur adipiscing elit.
FinancialDorem ipsum dolor sit amet, consectetur adipiscing elit.