Hackers backed by The Russian government has compromised the networks of multiple US defense contractors in a protracted campaign to reveal sensitive information about US weapons development communications infrastructure, the federal government said on Wednesday. .
The campaign started no later than January 2020 and has continued this month, according to a general advisor of the FBI, the National Security Agency, and the Cybersecurity and Infrastructure Agency. The hacker successfully targeted and hacked defense contractors or removed CDC, supporting contracts for the US Department of Defense and the intelligence community.
“During this two-year period, these actors have maintained continuous access to multiple CDC networks, in some cases for as little as six months,” officials wrote in the advisory. “In cases where actors have successfully gained access, the FBI, NSA, and CISA have documented frequent and recurring email and data intrusions. For example, in a compromise in 2021, threat actors stole hundreds of documents related to the company’s products, relationships with other countries, internal personnel, and legal issues physical “.
Filtered out materials include CDC’s unclassified-proprietary and export-control information. This information is provided to Russian government “Remarkable insight” into the deployment and development schedule of US weapons platforms, plans for communications infrastructure, and specific technologies being used by the government and US army. The documents also include unclassified emails between employees and their government clients discussing exclusive details about science and technology research.
Advice says:
These continued intrusions have allowed actors to obtain sensitive, unclassified information, as well as CDC proprietary and export control technology. The information obtained provides insight into the deployment and development schedule of US weapons platforms, vehicle specifications, and communications and technology infrastructure plans. information. By obtaining proprietary internal documents and communicating via email, the adversary can tailor its own military plans and priorities, accelerate technology development efforts, inform foreign policy makers about U.S. intentions and targeting potential sources of employment. Given the sensitivity of information widely distributed on unclassified CDC networks, the FBI, NSA, and CISA predict that Russian state-sponsored cyber actors will continue to target CDC for information defense of the United States in the near future. These agencies encourage all CDCs to adopt the mitigations recommended in this advisory, regardless of evidence of compromise.
Hackers have used a variety of methods to compromise their targets. Methods include collecting network passwords through scam teacher, data breachtechniques for jailbreaking and exploiting unpatched things Software Vulnerability. After gaining a foothold in the targeted network, threat actors elevate their system permissions by mapping Active Directory and connecting to domain controllers. From there, they can get the login information back for all the other accounts and create new accounts.
The advice adds, hackers use virtual private servers to encrypt their communications and conceal their identities. They also use “small office and home office (SOHO)” devices as active buttons to avoid detection. In 2018, Russia was arrested infect more than 500,000 consumer routers so devices can be used to infect networks to which they are attached, steal passwords, and manipulate traffic through the compromised device.
These and others seem to have been successful.
“In many cases, threat actors maintain continuous access for at least six months,” the general counsel stated. “Although actors used various types of malware for persistence, the FBI, NSA, and CISA also observed intrusions that did not rely on malware or other survival mechanisms. at other long term. In these cases, it is likely that threat actors have relied on possession of legitimate credentials for long-term survival, allowing them to switch to other accounts, if necessary, to maintain access. access to compromised environments. “
Advice contains a list of technical metrics that administrators can use to determine if their network has been compromised during a campaign. It further urges all CDCs to investigate suspicious activity in their cloud and enterprise environments.
This story originally appeared on Ars Technica.
Stories with WIRED are more amazing
