The two-year campaign targeted sensitive but unclassified information stored by defense contractors.
Russian hackers are getting a look at U.S. military weapons development and delivery timelines through a two-year cyber campaign targeting defense industrial base companies, a multi-agency alert warned on Feb. 16.
The Cybersecurity and Infrastructure Security Agency, National Security Agency, and the FBI announced cleared defense contractors for both large and small companies that support the Defense Department and intelligence community have been regularly and successfully targeted by Russian state-sponsored actors in a campaign that dates back to at least January 2020.
During the two-year campaign, the agencies state, Russian actors "have maintained persistent access to multiple [cleared defense contractor] networks, in some cases for at least six months," and added that successful campaigns have involved the theft of emails and other documents.
The information targeted in the campaign is unclassified but sensitive and nonpublic, and can be synthesized with public-facing contracting data to create "insight into U.S. weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology."
According to the advisory, contractors that support very technical areas of expertise – command, control, communications and combat systems, data analytics, software development, and logistics – were targeted. Intelligence, surveillance, reconnaissance, and targeting, weapons development and vehicle or aircraft design were also listed.
The campaign leveraged spearphishing attacks, taking advantage of easily guessed usernames and passwords and exploiting existing unpatched network vulnerabilities among other techniques, according to the advisory. The effort targeted privileged accounts and in some cases was able to escalate privileges associated with compromised accounts to launch further exploits.
Cloud networks were also targeted, the agencies cautioned.
"In many attempted compromises, these actors have employed similar tactics to gain access to enterprise and cloud networks, prioritizing their efforts against the widely used Microsoft 365 (M365) environment," the alert states. "The actors often maintain persistence by using legitimate credentials and a variety of malware when exfiltrating emails and data."
The advisory comes after a recent industry report that found defense contractors continued to see an increase in cyber vulnerabilities over the past year. The National Industrial Defense Association released its "Vital Signs" report that as the severity of the known IT cybersecurity vulnerabilities decreased, the total reported rose by 11% to in 2021.
The advisory recommends a host of cyber hygiene measures and mitigation techniques to prevent further intrusions and to identify intrusions that are already taking place.