CISA Alert AA22-047A – Russian state-sponsored cyber actors target cleared defense contractor networks to obtain sensitive US defense information and technology.

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack Zero Four Seven Alpha.

​​Original release date: February Sixteenth, twenty twenty two.

CISA, the FBI, and NSA have observed Russian state-sponsored cyber actors regularly target US cleared defense contractors from at least January 2020 through February 2022. The actors have targeted both large and small defense contractors and subcontractors with varying levels of cybersecurity protocols and resources. These defense contractors support contracts for the US Department of Defense and Intelligence Community in command, control, communications, and combat systems; intelligence, surveillance, reconnaissance, and targeting; weapons and missile development; vehicle and aircraft design; and software development, data analytics, computers, and logistics. 

Historically, Russian state-sponsored cyber actors have used common but effective tactics to gain access to target networks, including spearphishing, credential harvesting, brute force and password spraying, and known vulnerability exploitation against accounts and networks with weak security. These actors take advantage of simple passwords, unpatched systems, and unsuspecting employees to gain initial access before moving laterally through the network to establish persistence and exfiltrate data. 

In many attempted compromises, these actors have employed similar tactics to gain access to enterprise and cloud networks, prioritizing their efforts against the widely used Microsoft 365 environment. The actors often maintain persistence by using legitimate credentials and a variety of malware when exfiltrating emails and data.

These intrusions have enabled the APT to acquire controlled unclassified information, as well as proprietary and export-controlled technology. The stolen information provides significant insight into the development and deployment of US weapons platforms, vehicle specifications, and plans for communications infrastructure and information technology. By acquiring proprietary internal documents and email communications, adversaries may be able to adjust their own military plans and priorities, hasten technological development, inform foreign policymakers of US intentions, and target potential human sources for recruitment. CISA, NSA, and the FBI urge all defense contractors to apply the recommended mitigations listed in this advisory, regardless of evidence of compromise.

The alert documentation linked in the show notes provides specific threat details, adversary TTPS, and mitigation actions associated with this activity. The documentation also includes a full MITRE ATT&CK framework mapping of the threat actor TTPs.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.