State-sponsored Hackers Lurked in US Military Contractor’s Network for Months

Updated on 2022-10-09: NSA: Who hacked what now?!

Spies snooped inside a U.S. military defense contractor’s network for months and stole a cache of sensitive data, according to a joint release by the NSA, CISA and the FBI. The U.S. agencies point the finger of blame at an unspecified APT group, but could be Russia if a since-deleted reference to protecting “against Russian-state sponsored malicious cyber activity” is anything to go by. Whoops?

Updated on 2022-10-07

The NSA, the FBI, and the CISA warned against Chinese hackers targeting U.S. and allied networks and tech firms through vulnerability exploits to gain access to confidential networks and pilfer intellectual property. Read more: US govt shares top flaws exploited by Chinese hackers since 2020

Updated on 2022-10-06: NSA, CISA, FBI advisory

The NSA, CISA, and the FBI issued a joint security advisory on Tuesday, warning about APT attacks against US Defense Industrial Base organizations. The advisory specifically mentioned the attacker’s propensity to use an open-source tool named Impacket to gain an initial foothold inside orgs and the use of a private tool called CovalentStealer to exfiltrate data from the victim’s systems. Impacket, in particular, is a very popular tool with attackers and was ranked #1 in Red Canary’s threat landscape report in June as one of the most widely and most commonly detected tools that month. More from Katie Nickels, Director of Intelligence at Red Canary:

“Adversaries favor Impacket because it allows them to conduct various actions like retrieving credentials, issuing commands, moving laterally, and delivering additional malware onto systems. The good news is that Impacket can be detected with endpoint and network visibility. However, while Impacket is fairly easy to detect, it can be challenging to determine if the activity is malicious or benign without additional context and understanding of what is normal in an environment. Approximately one third of the Impacket detections we saw in 2021 were from confirmed testing. If an organization’s infosec team detects a malicious instance of Impacket, they should consider isolating the endpoint because there may be an active adversary in their environment. By detecting the use of Impacket early in an intrusion, defenders have a good chance at stopping that intrusion and preventing exfiltration of sensitive data.”

Read more:

• SecureAuthCorp/impacket
• Malware Analysis Report (AR22-277A) MAR-10365227-1.v1 CovalentStealer
• Intelligence Insights: June 2022

Updated 2022-10-05

The U.S. government alerted against state-backed hackers using the custom CovalentStealer malware and Impacket framework to steal confidential information from a Defense Industrial Base organization. Reaad more: Alert (AA22-277A) Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization

Updated 2022-10-05

In a joint cybersecurity advisory (CSA), the Us Cybersecurity and Infrastructure Security Agency (CIDSA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) say that cyber intruders lurked in a US military contractor’s network for months. The state-sponsored threat actors stole sensitive data. The CSA provides technical details of incident response that took place between November 2021 and January 2022.

Note

• This information is very useful to build post exploitation detection rules. The attack involved an Exchange server, so with that in mind, it makes an interesting read to understand what more advanced attackers may attempt after the initial compromise.
• DHS counts over 100,000 companies as part of the Defense Industrial Base, so there are many other similar stories. This one is another example of unpatched Exchange vulnerabilities being exploited at the front end, and then a lack of monitoring/hunting processes leaded to an unacceptably long time to detect.
• Not only was one group hanging out for a long time, but also other APT’s came and went during that same interval. The mitigations focus on monitoring for impossible logins, impossible travel and multiple account use over a single VPN connection. MFA has to be mandatory for remote access. Make sure that remote access services are known, approved and secure. Use separate accounts for administrative privileges, then monitor their use. Limit these accounts to only those who need them and audit this regularly. Trust me, anyone with a C in their title doesn’t need one outside of any privileges needed to manage their laptop.

Read more in

• Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization
• Cyber-snoops broke into US military contractor, stole data, hid for months
• Hackers stole data from US defense org using Impacket, CovalentStealer
• Hackers maintained deep access inside military organization’s network, U.S. officials reveal

Updated on 2022-09-29

A new, highly-targeted campaign has been targeting several military contractors related to weapon manufacturing, which includes an F-35 Lightning II fighter aircraft components supplier.

Overview

Securonix researchers said they identified a new covert campaign targeting multiple military and weapons contractors, including a strategic supplier to the F-35 Lightning II fighter aircraft. Securonix named this campaign STEEP#MAVERICK but did not attribute it to any specific threat actor. Read more: Securonix Threat Labs Security Advisory: Detecting STEEP#MAVERICK: New Covert Attack Campaign Targeting Military Contractors