Russian actors targeting U.S. defense contractors in cyber espionage campaign, CISA warns

State-sponsored threat actors from Russia have stolen unclassified but sensitive data on US weapons development and specific technologies used by the US military and government as part of a broader and ongoing cyber espionage campaign going back to at least January 2020.

The campaign’s victims have included big and small private companies and contractors that have obtained security clearance to do work for the US Department of Defense and the intelligence community, the US Cybersecurity and Infrastructure Security Agency (CISA) said in an alert Wednesday. These cleared defense contractors (CDCs) support contracts for the US government in multiple areas, including weapons and missile development, intelligence and surveillance, combat systems, and vehicle and aircraft design.

The CISA alert did not identify any Russian state actor by name. But in describing several of the tactics, techniques, and procedures (TTPs) used In the campaign, the report pointed to a MITRE group description of APT28, aka Fancy Bear, a threat group that the US government has linked to GRU, Russia’s main intelligence directorate. The threat actor has been associated with numerous high-profile cyber incidents, including the breach at the Democratic National Committee during the run-up to the 2016 presidential election and a sustained campaign against the World Anti-Doping Agency between 2014 and 2018. In 2018 the US indicted seven Russian intelligence officers for their roles in the campaign.

CISA’s notification is sure to heighten concerns about more Russian cyberattacks against US organizations amid worsening relations between the two countries over Ukraine. In fact, this week President Biden specifically warned Russia against attacking US organizations and critical infrastructure “through asymmetric means, like disruptive cyberattacks.” The US is prepared to respond to such attacks, Biden warned.

CISA’s Wednesday alert itself follows an earlier “Shields Up” notice from the agency, urging US organizations to take measures that help them quickly detect and respond to potentially damaging cyber intrusions by Russian threat actors. CISA noted how Russia has used cyber as a “key component of their force projection” over the last decade, including during its conflicts with Ukraine.

Clear and Present Danger
“This warning underscores the clear and present danger posed by Russian-based cyber militias,” says Tom Kellermann, head of cybersecurity strategy at VMWare. “The declassification of this advisory highlights the ongoing pervasive campaign of island-hopping occurring against government agencies via the defense industrial base.”

According to CISA, the Russian actors behind the campaign targeting US cleared defense contractors have been using effective but common tactics to break into target networks and to maintain persistence on them. These tactics include spear-phishing, brute-force password-guessing, password spraying, credential harvesting, and exploits against known vulnerabilities.

To read the complete article, visit Dark Reading.