Russian state-sponsored cybercriminals lurked for the last two years in numerous U.S Cleared Defense Contractors’ (CDC) networks stealing sensitive, unclassified information along with proprietary and export-controlled technology.
The alert contained details about the methods the cyberattackers used and recommendations for the targeted organizations to mitigate further ongoing attacks regardless of evidence of compromise.
Cyberattackers maintained persistent access to multiple CDC networks, in some cases for at least six months. In instances when the actors successfully obtained access, the FBI, NSA, and CISA noted regular and recurring exfiltration of emails and data.
Exposing Strengths and Weaknesses
For example, during a compromise in 2021, threat actors exfiltrated hundreds of documents related to the company’s products, relationships with other countries, and internal personnel and legal matters.
These intrusions granted the actors significant insight into U.S. weapons’ strengths and weaknesses and deployment status. They also provided plans for communications infrastructure and specific technologies employed by the U.S. government and military, according to the alert.
The cyberattacks lasted from at least January 2020 through February 2022. The three U.S. agencies observed regular targeting of U.S. defense contractors of both large and small CDCs and subcontractors with varying levels of cybersecurity protocols and resources.
Federal contractors have struggled with securing valuable data in the past, noted Eric Noonan, the CEO of CyberSheath and former BAE Systems CISO.
“In fact, if you look at the many highly successful attacks on defense contractors and the federal government’s own data, it suggests that contractors have ignored and not complied with the minimum cybersecurity requirements required of them,” he told TechNewsWorld.
Constant, Effective Tactics
The cyber pirates leveraged access to CDC networks to obtain sensitive data about U.S. defense and intelligence programs and capabilities. Compromised entities included CDCs supporting the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, the Department of Defense (DoD) and Intelligence programs.
The cyber hackers took advantage of simple passwords, unpatched systems, and unsuspecting employees to gain initial access before moving laterally through the network to establish persistence and exfiltrate data, the alert said. In many attempted compromises, they employed similar tactics to gain access to enterprise and cloud networks.
Historically, Russian state-sponsored cyber actors used common but effective tactics to gain access to target networks. These methods included spear phishing, credential harvesting, brute force/password spray techniques, and known vulnerability exploitation against accounts and networks with weak security.
The Russia-sponsored hackers prioritized their efforts against the widely used Microsoft 365 (M365) environment. They often maintained persistence by using legitimate credentials and a variety of malware when exfiltrating emails and data.
Few things are different in looking at attack scenarios previously and the just-disclosed Russian-sponsored cyberattacks. The United States government has been experiencing similar nation-state attacks for more than a decade.
“The federal government is still issuing advisories to follow basic cybersecurity protocol and recommendations, such as using strong, unique passwords. The government is making those recommendations because the Defense Industrial Base is not doing the basics of cybersecurity, which Russia and China have identified and taken the opportunity to exploit time and time again,” explained Noonan.
One of the biggest issues is that federal contractors self-certify their cybersecurity posture to the federal government. That is much like letting businesses audit their own tax returns, he added.
“Another frustrating factor is that we are still seeing basic attack methods being deployed such as spear phishing and exploiting unpatched systems with known vulnerabilities,” he said.
Stolen Digital Loot Deleterious
Many contract awards and descriptions are publicly accessible. But program developments and internal company communications remain sensitive. Cyber looters got that and more.
Unclassified emails among employees or with government customers often contain proprietary details about technological and scientific research. They also contain program updates and funding statuses.
The acquired information provided actor states with significant insight into U.S. weapons platforms’ development and deployment timelines. The data thefts also included vehicle specifications and plans for communications infrastructure and information technology.
Access to proprietary internal documents and email communications gives adversaries the potential ability to adjust their own military plans and priorities. It also may hasten technological development efforts, inform foreign policymakers of U.S. intentions, and target potential sources for recruitment, according to the cybersecurity alert.
Given the sensitivity of information widely available on unclassified CDC networks, the FBI, NSA, and CISA anticipate that Russian state-sponsored cyber actors will continue to target CDCs for U.S. defense information in the near future.
Government Enforcement Inadequate
Federal contractors at least should simply achieve the mandatory cybersecurity minimums that are required of them today. But those minimums are not audited or enforced by the government, according to Noonan.
“Our Defense Industrial Base would be more secure overnight. The government has largely gotten it right in selecting the requirements. They just have not enforced them,” he offered.
So the government sets the speed limit at an appropriate level. The problem is that no one is out there with a radar gun pulling anybody over for speeding, he said of the lack of security enforcement.
In addition, the government should quickly prepare the entire supply chain to better defend against these attacks by making cybersecurity a barrier to revenue, Noonan suggested.
The government must audit federal contractors to the National Institute of Standards and Technology (NIST) cybersecurity standards and withhold contracts until they comply with mandatory cybersecurity minimums.
“Revenue drives behavior, and the U.S. government can use it as an incentive to solve this problem,” he urged.
Lurking Risk Appears Next
Many things get blanketed under the term national security to give them importance, but the kind of intellectual property that we are talking about here really does deserve that designation, Noonan maintained. Imagine if the weapons system that taxpayers have spent billions developing does not work when they need it to.
Some of this information might be considered mundane. But when it is put together, the adversary could potentially map the entirety of a specific supply chain, knowing who the critical suppliers are and where best to cause disruption.
“The use cases are endless, but we know all of this. So how is it that in the wake of SolarWinds and these Russian attacks we still do not have mandatory minimum cybersecurity requirements for all federal contractors?” he asked critically.