Hackers backed by The Russian government hacked the networks of multiple U.S. defense contractors in a long-running campaign that exposed sensitive information about U.S. communications infrastructure for weapons development, the federal government said Wednesday.
The campaign started no later than January 2020. and continued this month, according to a joint advisory by the FBI, the National Security Agency and the Cybersecurity and Infrastructure Security Agency. Hackers target and successfully hack approved defense contractors, or CDCs, that maintain contracts for the US Department of Defense and the intelligence community.
“During this two-year period, these participants maintained persistent access to multiple CDC networks, in some cases for at least six months,” officials wrote in the advisory. “In cases where actors have successfully gained access, the FBI, NSA and CISA have observed regular and repeated exfiltration of emails and data. For example, during a compromise in 2021, threat actors leaked hundreds of documents related to the company’s products, relations with other countries, and internal personnel and legal matters.”
The leaked documents include unclassified information owned by CDC and controlled for export. This information gives the Russian government “significant insight” into the development and deployment timelines of US weapons platforms, plans for communications infrastructure and specific technologies used by the US government and military. The documents also include unclassified emails between officials and their government clients discussing private details of technology and scientific research.
The council said:
These extended infiltrations have allowed participants to acquire sensitive, unclassified information as well as CDC-owned and export-controlled technology. The information obtained provides significant insight into the development and deployment schedules of US weapons platforms, vehicle specifications, and plans for communications infrastructure and information technology. By acquiring their own internal documents and email communications, adversaries can adjust their own military plans and priorities, accelerate technological development efforts, inform foreign policymakers of US intentions, and target potential sources of recruitment. Given the sensitivity of information widely available on CDC’s unclassified networks, the FBI, NSA, and CISA expect that Russian state-sponsored cyber actors will continue to target CDC for US defense information in the near future. These agencies encourage all CDCs to implement the recommended mitigation measures in this advisory regardless of evidence of compromise.
Hackers have used various methods to breach their targets. Methods include harvesting network passwords through phishing, data breaches, cracking techniques, and exploiting unpatched software vulnerabilities. After gaining a foothold on a target network, threat actors escalate their system privileges by mapping Active Directory and connecting to domain controllers. From there, they can exfiltrate credentials for all other accounts and create new accounts.
Hackers use virtual private servers to encrypt their communications and hide their identities, the bulletin added. They also use “small office and home office (SOHO) devices as operating nodes to avoid detection.” In 2018 Russia was caught infecting more than 500,000 consumer routers so that the devices could be used to infect the networks they were connected to, exfiltrate passwords and manipulate traffic passing through the compromised device.
