Russia-linked threat actors breached US cleared defense contractors (CDCs)

Pierluigi Paganini February 16, 2022

Russia-linked threat actors have breached the network of U.S. cleared defense contractors (CDCs) since at least January 2020.

According to a joint alert published by the FBI, NSA, and CISA, Russia-linked threat actors conducted a cyber espionage campaign aimed at US cleared defense contractors to steal sensitive info related to intelligence programs and capabilities.

CDCs support contracts for the U.S. Department of Defense (DoD) and Intelligence Community in multiple areas:

  • Command, control, communications, and combat systems;
  • Intelligence, surveillance, reconnaissance, and targeting;
  • Weapons and missile development;
  • Vehicle and aircraft design; and
  • Software development, data analytics, computers, and logistics. 

The campaign has been active since at least January 2020 and several US cleared defense contractors were breached by the nation-state actors.

The attackers targeted CDCs and subcontractors of any size with varying levels of cybersecurity protocols and resources. 

“From at least January 2020, through February 2022, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) have observed regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors.” reads the joint alert. “The actors leverage access to CDC networks to obtain sensitive data about U.S. defense and intelligence programs and capabilities. Compromised entities have included CDCs supporting the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and DoD and Intelligence programs.”

Threat actors employed similar tactics in many attempts to compromise enterprise and cloud networks. Attackers seem to focus their efforts on attacks against organizations using Microsoft 365 (M365) environment. The actors were able to maintain persistence by using legitimate credentials and a variety of malware that was used for data exfiltration. In some cases, cyberspies have maintained persistence for at least six months.

“These continued intrusions have enabled the actors to acquire sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology.” states the report. “By acquiring proprietary internal documents and email communications, adversaries may be able to adjust their own military plans and priorities, hasten technological development efforts, inform foreign policymakers of U.S. intentions, and target potential sources for recruitment.”

The alert provides recommendations on how to detect malicious activity and respond in case of compromise.

In mid-January US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) issued a joint alert to warn critical infrastructure operators about threats from Russian state-sponsored hackers.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, US cleared defense contractors)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment