Russian Cyberspies Stole U.S. Defense Data in Attacks on Contractors

Cleared defense contractors working with the United States government have been targeted by Russian cyberspies whose goal is to obtain sensitive defense and intelligence data, according to an advisory issued on Wednesday by U.S. agencies.

The advisory comes from the FBI, NSA and the DHS’s Cybersecurity and Infrastructure Security Agency (CISA). The agencies claim that Russian state-sponsored threat actors have regularly targeted defense contractors from at least January 2020 until now.

The targeted contractors support the Pentagon and the intelligence community with communications, combat systems, intelligence, surveillance, reconnaissance, weapons and missile development, vehicle and aircraft design, software development, data analytics and logistics.

According to the agencies, the contractors whose systems have been breached by Russian hackers worked with the Army, Air Force, Navy, Space Force, and Department of Defense and intelligence programs.

In some cases, threat actors had access to contractor networks for at least six months, obtaining emails and documents containing information on contract details, tests and timelines, funding, product development and foreign partnerships.

“By acquiring proprietary internal documents and email communications, adversaries may be able to adjust their own military plans and priorities, hasten technological development efforts, inform foreign policymakers of U.S. intentions, and target potential sources for recruitment,” the agencies said.

While the compromised information has been described as “unclassified,” it can still be very valuable to foreign governments as it included proprietary and export-controlled information.

“This theft has granted the actors significant insight into U.S. weapons platforms development and deployment timelines, plans for communications infrastructure, and specific technologies employed by the U.S. government and military,” the advisory reads. “Although many contract awards and descriptions are publicly accessible, program developments and internal company communications remain sensitive. Unclassified emails among employees or with government customers often contain proprietary details about technological and scientific research, in addition to program updates and funding statuses.”

While the advisory does not specifically mention any Russia-linked threat actor, it does include references to activity associated with a well-known group tracked as APT28, Fancy Bear, Pawn Storm, Sednit, Strontium and Tsar Team.

The attacks are expected to continue, which is why the agencies are encouraging defense contractors to take steps to improve their defenses.

The advisory contains information on the tactics, techniques and procedures (TTPs) used by threat actors, and the methods used for initial access, credential harvesting, command and control, and persistence.

The advisory also provides instructions for detecting malicious activity, incident response and remediation advice, as well as mitigations.

The agencies have also once again highlighted that the U.S. government is offering rewards of up to $10 million for information on individuals involved in malicious cyber activities aimed at critical infrastructure.

CISA and other government agencies have issued two other alerts over Russian cyber activity this year, as tensions mount over a potential Russian invasion of Ukraine.

Related: Russian Cyberspy Groups Start Exploiting Log4Shell Vulnerability

Related: Russians Used Brute Force Attacks Against Hundreds of Orgs: Security Agencies