CISA Alert AA22-277A: data stolen from Defense Industrial Base Sector organization.
N2K logoOct 5, 2022

CISA has released an alert detailing a breach of a defense firm’s systems.

CISA Alert AA22-277A: data stolen from Defense Industrial Base Sector organization.

The Cybersecurity and Infrastructure Security Agency (CISA) released a report yesterday detailing alert AA22-277A. From November 2021 through January 2022, CISA uncovered activity from likely multiple advanced persistent threat (APT) groups on a Defense Industrial Base (DIB) Sector organization’s enterprise network. The organization affected isn't named in the report. The APTs used Impacket, an open-source toolkit, to gain access, and then used custom data exfiltration tool CovalentStealer to steal sensitive data. “Advanced persistent threat” usually, although not invariably, means a state actor, a group acting under the direction of an intelligence or security service.

Multiple APTs were involved.

In this case, as BleepingComupter notes, CISA did not indicate who was behind the APTs. “During incident response activities, CISA uncovered that likely multiple APT groups compromised the organization’s network, and some APT actors had long-term access to the environment,” CISA says in the report.

The agency reports that some APTs may have gained access to the victim’s Microsoft Exchange Server as early as ​​mid-January 2021. Bleeping Computer reports that they used “the HyperBro remote access trojan (RAT), and well over a dozen ChinaChopper webshell samples,” on the organization’s network, as well as exploiting the ProxyLogon collection of Microsoft Exchange Server vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

CISA has published, separately, a detailed analysis of both CovalentStealer and HyperBro, the tools that figured prominently in the exploitation.

Impacket is a widespread risk.

The Record by Recorded Future quotes Katie Nickels, director of intelligence at Red Canary, who says that Impacket is a prevalent risk, “In September, it was the fourth most prevalent threat we observed. The good news is that Impacket can be detected with endpoint and network visibility. However, while Impacket is fairly easy to detect, it can be challenging to determine if the activity is malicious or benign without additional context and understanding of what is normal in an environment.”

The report includes information about detection, containment and remediation, and mitigation. CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) recommends that defense industrial base and critical infrastructure organizations implement provided mitigations.

Cyberespionage during a period of heightened tension.

Added, 10.5.22.

Tom Kellermann, CISM, senior vice president of cyber strategy at Contrast Security, sees the killchain and the kind of backdoor installed as indicating, circumstantially, a Chinese APT. China is also a common threat actor against US targets in cyberspace. He see the incident as having important security implications. “The national security implications of this espionage campaign are significant," he wrote. "The Chinese threat actor behind this intrusion represents their 'A team.' With tensions simmering over Taiwan, we presume more of these infiltrations are occurring. The likelihood of them island hopping through the victim organization into military networks is high. Expanded threat hunting across Microsoft exchange servers and their administrators' endpoints are imperative. My biggest concern is whether the integrity of the data was manipulated post exploitation.”

(On the question of attribution, the Register, in a noncommittal way, points to the brief appearance of a text box alluding to Russian hacking on CISA's page. "While the federal government didn't attribute the break-in to any particular gangs or nation states, a blue box at the top of CISA's security alert at one point told organizations what to do to 'protect against Russian-state sponsored malicious cyber activity.' That reference to Russia has since vanished." In truth the question of attribution remains open.)