A two-year campaign by state-sponsored Russian agencies to siphon off information from US defense contractors worked, they say.
Uncle Sam’s Agency for Cybersecurity and Infrastructure Security (CISA) on Wednesday said Moscow’s cybersniffs have obtained “significant insight into US weapons platforms development and deployment timelines, vehicle specifications, and communications infrastructure and information technology plans.”
The agency added that the intruders made off with sensitive and unclassified emails and documents, as well as data on proprietary and export-controlled technology.
CISA Announcement and an accompanying report [PDF] state that it, the FBI, and the NSA have all identified “regular attacks” on contractors serving the US Department of Defense, intelligence agencies, and all branches of the US military except the Coast Guard. Contractors to the US Space Force, formed in 2019, have also been targeted.
The campaign started “at least” January 2020 and ran until February 2022. Speaking of nothing, 150,000 Russian soldiers have gathered near the border with Ukraine, and American officials believe an invasion is imminent. Russia says it won’t, and world leaders are trying to defuse the situation with diplomacy.
Attackers modified permissions to grant read access to all SharePoint pages
It is said that whoever broke into the systems of the US defense contractors did not use any new tactics. According to CISA, the favorite weapons of the Kremlin-backed cyber attackers were established techniques such as spear phishing, credential harvesting, password brute force and exploitation of known vulnerabilities.
The attackers prioritized their efforts to attack Microsoft 365 — the Windows giant’s suite of productivity apps and complementary cloud services, we’re told.
Obtaining legitimate M365 credentials appears to have been the jackpot for the intruders, who used them to maintain a presence at defense contractors for months. These infiltrations often went undetected.
One successful attack involved criminals exploiting valid global administrator account credentials within an M365 tenant and using it to “modify the permissions of an existing enterprise application to allow read access to all SharePoint sites in the environment, as well as tenant user profiles and email inboxes.” “
Other attackers focused on CVE-2018-13379, a flaw in Fortinet’s FortiGate SSL VPN that was exposed in May 2019. Yes, that means defense contractors were running an unpatched kit at least seven months after the alert was raised for a bug with a 9.8/10 rating Common Vulnerability Rating System.
CISA’s response is a long list of security controls and practices that defense companies are expected to adhere to, some of which — like the requirement to “launch a software and patch management program” — certainly aren’t a competent manager, governance officer, or new IT professionals, let alone someone who works in such roles at a defense contractor.
Other basic guides include running antivirus software, enforcing the use of strong passwords, and adopting multi-factor authentication. Enforcement of the principle of least privilege is also recommended.
There is also some more specific advice that some organizations may be excusingly absent from – such as implementing centralized log management and correlating M365 logs with security application outputs.
Contractor suppliers are also in the frame, as CISA’s guidance requires a review of trust relationships, including with managed service providers and cloud service providers.
Whether US defense and intelligence organizations also review their trust relationships with suppliers that have not performed basic infosec hygiene is not discussed in the document.
CISA is not sure it has got to the bottom of the situation. Its disclosure promises a $10 million reward for more information on Russian infiltration activities. ®