A two-year campaign by state-sponsored Russian entities to siphon information from US defense contractors worked, it is claimed.
Uncle Sam’s Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday said Moscow’s cyber-snoops have obtained “significant insight into US weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology.”
The Agency added that the intruders made off with sensitive and unclassified email and documents as well as data on proprietary and export-controlled technology.
CISA’s announcement and an accompanying report [PDF] state that it, the FBI, and the NSA have all spotted “regular targeting” of contractors that serve the US Department of Defense, intelligence agencies, and all branches of the US military other than the Coast Guard. Contractors serving the US Space Force, which was founded in 2019, were also targeted.
The campaign started in “at least” January 2020 and ran until February 2022. Apropos of nothing, 150,000 Russian troops have gathered near Ukraine’s borders, and American officials believe an invasion is imminent. Russia says it’s not going to do that, and world leaders are trying diplomacy to defuse the situation.
Attackers changed permissions to give read access to all SharePoint pages
Whoever broke into the US defense contractors’ systems did not use novel tactics, it is said. The Kremlin-backed cyber-attackers’ weapons of choice were established techniques such as spearphishing, credential harvesting, brute forcing of passwords, and exploiting known vulnerabilities, according to CISA.
The attackers prioritized efforts to target Microsoft 365 – the Windows giant’s suite of productivity apps and complementary cloud services, we’re told.
Obtaining legitimate M365 credentials appears to have been the jackpot for the intruders, who used them to maintain a presence inside defense contractors for months at a time. Those infiltrations often went undetected.
One successful attack involved miscreants scoring valid credentials to a global admin account within an M365 tenant and using it “to change permissions of an existing enterprise application to give read access to all SharePoint pages in the environment, as well as tenant user profiles and email inboxes.”
Other attackers focused on CVE-2018-13379, a flaw in Fortinet’s FortiGate SSL VPN disclosed in May 2019. Yes, that means defense contractors were running unpatched kit at least seven months after the alarm was raised over a bug rated 9.8/10 on the Common Vulnerability Scoring System.
CISA’s response is a long list of security controls and practices it wants defense contractors to observe, some of which – such as an exhortation to “initiate a software and patch management program” – surely cannot be news to any competent manager, governance officer, or IT professional, never mind someone working in such roles at a defense contractor.
Other basic guidance includes running antivirus software, enforcing use of strong passwords, and adopting multi-factor authentication. Enforcing the principle of least privilege is also recommended.
There’s also some more specific advice that’s perhaps excusably not in place at some organisations – such as implementing central log management and correlating M365 logs with output from security appliances.
Contractors’ suppliers are also in the frame, as CISA’s guidance calls for a review of trust relationships including with managed service providers and cloud service providers.
Whether US defense and intelligence organisations are also reviewing their trust relationships with suppliers that did not perform basic infosec hygiene is not discussed in the document.
CISA’s not certain it has got to the bottom of the situation. Its disclosure dangles a $10 million reward for further information on Russian infiltration activity. ®