Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?


Cybersecurity Funding

Russian Cyberspies Stole U.S. Defense Data in Attacks on Contractors

Cleared defense contractors working with the United States government have been targeted by Russian cyberspies whose goal is to obtain sensitive defense and intelligence data, according to an advisory issued on Wednesday by U.S. agencies.

Cleared defense contractors working with the United States government have been targeted by Russian cyberspies whose goal is to obtain sensitive defense and intelligence data, according to an advisory issued on Wednesday by U.S. agencies.

The advisory comes from the FBI, NSA and the DHS’s Cybersecurity and Infrastructure Security Agency (CISA). The agencies claim that Russian state-sponsored threat actors have regularly targeted defense contractors from at least January 2020 until now.

The targeted contractors support the Pentagon and the intelligence community with communications, combat systems, intelligence, surveillance, reconnaissance, weapons and missile development, vehicle and aircraft design, software development, data analytics and logistics.

According to the agencies, the contractors whose systems have been breached by Russian hackers worked with the Army, Air Force, Navy, Space Force, and Department of Defense and intelligence programs.

In some cases, threat actors had access to contractor networks for at least six months, obtaining emails and documents containing information on contract details, tests and timelines, funding, product development and foreign partnerships.

“By acquiring proprietary internal documents and email communications, adversaries may be able to adjust their own military plans and priorities, hasten technological development efforts, inform foreign policymakers of U.S. intentions, and target potential sources for recruitment,” the agencies said.

While the compromised information has been described as “unclassified,” it can still be very valuable to foreign governments as it included proprietary and export-controlled information.

“This theft has granted the actors significant insight into U.S. weapons platforms development and deployment timelines, plans for communications infrastructure, and specific technologies employed by the U.S. government and military,” the advisory reads. “Although many contract awards and descriptions are publicly accessible, program developments and internal company communications remain sensitive. Unclassified emails among employees or with government customers often contain proprietary details about technological and scientific research, in addition to program updates and funding statuses.”

While the advisory does not specifically mention any Russia-linked threat actor, it does include references to activity associated with a well-known group tracked as APT28, Fancy Bear, Pawn Storm, Sednit, Strontium and Tsar Team.

The attacks are expected to continue, which is why the agencies are encouraging defense contractors to take steps to improve their defenses.

The advisory contains information on the tactics, techniques and procedures (TTPs) used by threat actors, and the methods used for initial access, credential harvesting, command and control, and persistence.

The advisory also provides instructions for detecting malicious activity, incident response and remediation advice, as well as mitigations.

The agencies have also once again highlighted that the U.S. government is offering rewards of up to $10 million for information on individuals involved in malicious cyber activities aimed at critical infrastructure.

CISA and other government agencies have issued two other alerts over Russian cyber activity this year, as tensions mount over a potential Russian invasion of Ukraine.

Related: Russian Cyberspy Groups Start Exploiting Log4Shell Vulnerability

Related: Russians Used Brute Force Attacks Against Hundreds of Orgs: Security Agencies

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Cybersecurity Funding

SecurityWeek investigates how political/economic conditions will affect venture capital funding for cybersecurity firms during 2023.