Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybersecurity Funding

Russian Cyberspies Stole U.S. Defense Data in Attacks on Contractors

Cleared defense contractors working with the United States government have been targeted by Russian cyberspies whose goal is to obtain sensitive defense and intelligence data, according to an advisory issued on Wednesday by U.S. agencies.

Cleared defense contractors working with the United States government have been targeted by Russian cyberspies whose goal is to obtain sensitive defense and intelligence data, according to an advisory issued on Wednesday by U.S. agencies.

The advisory comes from the FBI, NSA and the DHS’s Cybersecurity and Infrastructure Security Agency (CISA). The agencies claim that Russian state-sponsored threat actors have regularly targeted defense contractors from at least January 2020 until now.

The targeted contractors support the Pentagon and the intelligence community with communications, combat systems, intelligence, surveillance, reconnaissance, weapons and missile development, vehicle and aircraft design, software development, data analytics and logistics.

According to the agencies, the contractors whose systems have been breached by Russian hackers worked with the Army, Air Force, Navy, Space Force, and Department of Defense and intelligence programs.

In some cases, threat actors had access to contractor networks for at least six months, obtaining emails and documents containing information on contract details, tests and timelines, funding, product development and foreign partnerships.

“By acquiring proprietary internal documents and email communications, adversaries may be able to adjust their own military plans and priorities, hasten technological development efforts, inform foreign policymakers of U.S. intentions, and target potential sources for recruitment,” the agencies said.

While the compromised information has been described as “unclassified,” it can still be very valuable to foreign governments as it included proprietary and export-controlled information.

“This theft has granted the actors significant insight into U.S. weapons platforms development and deployment timelines, plans for communications infrastructure, and specific technologies employed by the U.S. government and military,” the advisory reads. “Although many contract awards and descriptions are publicly accessible, program developments and internal company communications remain sensitive. Unclassified emails among employees or with government customers often contain proprietary details about technological and scientific research, in addition to program updates and funding statuses.”

Advertisement. Scroll to continue reading.

While the advisory does not specifically mention any Russia-linked threat actor, it does include references to activity associated with a well-known group tracked as APT28, Fancy Bear, Pawn Storm, Sednit, Strontium and Tsar Team.

The attacks are expected to continue, which is why the agencies are encouraging defense contractors to take steps to improve their defenses.

The advisory contains information on the tactics, techniques and procedures (TTPs) used by threat actors, and the methods used for initial access, credential harvesting, command and control, and persistence.

The advisory also provides instructions for detecting malicious activity, incident response and remediation advice, as well as mitigations.

The agencies have also once again highlighted that the U.S. government is offering rewards of up to $10 million for information on individuals involved in malicious cyber activities aimed at critical infrastructure.

CISA and other government agencies have issued two other alerts over Russian cyber activity this year, as tensions mount over a potential Russian invasion of Ukraine.

Related: Russian Cyberspy Groups Start Exploiting Log4Shell Vulnerability

Related: Russians Used Brute Force Attacks Against Hundreds of Orgs: Security Agencies

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

SpecterOps has appointed Tim Bender as CFO, Pat Sheridan as CRO, and Bryce Hein as CMO.

CISA has officially announced the appointment of Madhu Gottumukkala as its new deputy director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.