US Agencies Say Russian Hackers Compromised Defense Contractors
Hackers backed by the Russian government have breached the networks of multiple US defense contractors in a sustained campaign that has revealed sensitive information about US weapons-development communications infrastructure, the federal government said on Wednesday. Wired reports: The campaign began no later than January 2020 and has continued through this month, according to a joint advisory by the FBI, the National Security Agency, and the Cybersecurity and Infrastructure Security Agency. The hackers have been targeting and successfully hacking cleared defense contractors, or CDCs, which support contracts for the US Department of Defense and intelligence community. "During this two-year period, these actors have maintained persistent access to multiple CDC networks, in some cases for at least six months," officials wrote in the advisory. "In instances when the actors have successfully obtained access, the FBI, NSA, and CISA have noted regular and recurring exfiltration of emails and data. For example, during a compromise in 2021, threat actors exfiltrated hundreds of documents related to the company's products, relationships with other countries, and internal personnel and legal matters." The exfiltrated documents included unclassified CDC-proprietary and export-controlled information. This information gives the Russian government "significant insight" into US weapons-platforms development and deployment timelines, plans for communications infrastructure, and specific technologies being used by the US government and military. The documents also include unclassified emails among employees and their government customers discussing proprietary details about technological and scientific research. The hackers have used a variety of methods to breach their targets. The methods include harvesting network passwords through spear phishing, data breaches, cracking techniques, and exploitation of unpatched software vulnerabilities. After gaining a toehold in a targeted network, the threat actors escalate their system rights by mapping the Active Directory and connecting to domain controllers. From there, they're able to exfiltrate credentials for all other accounts and create new accounts. The hackers make use of virtual private servers to encrypt their communications and hide their identities, the advisory added. They also use "small office and home office (SOHO) devices, as operational nodes to evade detection."
Read more of this story at Slashdot.