State-sponsored threat actors from Russia have stolen unclassified but sensitive data on US weapons development and specific technologies used by the US military and government as part of a broader and ongoing cyber espionage campaign going back to at least January 2020.
The campaign's victims have included big and small private companies and contractors that have obtained security clearance to do work for the US Department of Defense and the intelligence community, the US Cybersecurity and Infrastructure Security Agency (CISA) said in an alert Wednesday. These cleared defense contractors (CDCs) support contracts for the US government in multiple areas, including weapons and missile development, intelligence and surveillance, combat systems, and vehicle and aircraft design.
The CISA alert did not identify any Russian state actor by name. But in describing several of the tactics, techniques, and procedures (TTPs) used In the campaign, the report pointed to a MITRE group description of APT28, aka Fancy Bear, a threat group that the US government has linked to GRU, Russia's main intelligence directorate. The threat actor has been associated with numerous high-profile cyber incidents, including the breach at the Democratic National Committee during the run-up to the 2016 presidential election and a sustained campaign against the World Anti-Doping Agency between 2014 and 2018. In 2018 the US indicted seven Russian intelligence officers for their roles in the campaign.
CISA's notification is sure to heighten concerns about more Russian cyberattacks against US organizations amid worsening relations between the two countries over Ukraine. In fact, this week President Biden specifically warned Russia against attacking US organizations and critical infrastructure "through asymmetric means, like disruptive cyberattacks." The US is prepared to respond to such attacks, Biden warned.
CISA's Wednesday alert itself follows an earlier "Shields Up" notice from the agency, urging US organizations to take measures that help them quickly detect and respond to potentially damaging cyber intrusions by Russian threat actors. CISA noted how Russia has used cyber as a "key component of their force projection" over the last decade, including during its conflicts with Ukraine.
Clear and Present Danger
"This warning underscores the clear and present danger posed by Russian-based cyber militias," says Tom Kellermann, head of cybersecurity strategy at VMWare. "The declassification of this advisory highlights the ongoing pervasive campaign of island-hopping occurring against government agencies via the defense industrial base."
According to CISA, the Russian actors behind the campaign targeting US cleared defense contractors have been using effective but common tactics to break into target networks and to maintain persistence on them. These tactics include spear-phishing, brute-force password-guessing, password spraying, credential harvesting, and exploits against known vulnerabilities.
In many attacks, the threat actors focused their efforts on breaking into Microsoft 365 environments, CISA said. Once on a network, the threat actors map the Active Directory of the victim organization and connect to domain controllers from where they steal credentials that are later used to maintain persistence. In at least one instance, the actors were able to remain persistent on a victim network for six months.
"In multiple instances, the threat actors have used Mimikatz to dump admin credentials from the domain controllers," CISA said, referring to the post-compromise password-dumping tool that is widely popular among cyberattackers.
CISA's advisory, developed with the assistance of the FBI and NSA, offers guidance on what organizations should be doing to prepare for the possibility of increased attacks by Russia-affiliated threat actors. Tips include the need for organizations to implement strong log collection and retention measures so they can investigate and detect behavior consistent with the current threat activity, as well as the need to look for anomalous behavior and perform a complete identity reset if evidence of compromise is detected.
The alert also advocated the use of strong passwords and strong authentication measures to lessen exposure to credential theft and the use of features like account lockout and time-based access restrictions.
"Today's CISA alert is a clear indication that we should expect a dramatic increase in Russian threat activity targeting the US, Ukraine, and other nation entities," says Tim Keeler, CEO of Remediant.
He points to how cyberattacks played a key role during Russia's annexation of Crimea, not just in the region but elsewhere as well. "In March of 2014, there was a 40% increase of Russian botnet activity across the globe," he says.
Similarly, during the Crimea incursion In December 2015, Ukraine faced a highly coordinated cyberattack against their power grid, resulting in loss of power to over 230,000 people. Cyberattacks were a key strategic reconnaissance and disruption tool during these military operations. The same thing is happening today in Ukraine, he says.
"The CISA alert calls out that not only government agencies are being targeted, but we should also see a rise in overall cyberattacks against banks and technology firms," Keller says.
Meanwhile, organizations that have information leading to the identification or location of state-sponsored Russian cyber actors targeting US critical infrastructure may be eligible for a reward of up to $10 million, CISA says.
"The volume of cyberattacks will likely increase and become destructive over the coming days," Kellermann says.
US organizations should be prepared for data integrity and ransomware being deployed NotPetya-style against critical infrastructures. "Organizations should refer to CISA’s Shields Up guidance to adopt a heightened security posture and maximize resilience," Kellermann adds.