As Western policymakers grapple with how to interpret promising signs of potential deescalation in the Russia/Ukraine conflict, U.S. cybersecurity agencies continue to warn private industry and defense contractors to be on guard for potential Russian hacking campaigns.
The latest missive is a joint advisory Wednesday from the Cybersecurity and Infrastructure Security Agency, the FBI and the NSA detailing how Russian hackers have been persistently targeting cleared U.S. defense contractors over the past two years. In particular, the campaign targets companies responsible for supporting U.S. military and intelligence capabilities, including providing weapons and missile development, software development and logistics, command, control, communications and combat systems, intelligence, surveillance reconnaissance and targeting and vehicle and aircraft design.
While Russian APTs are known for developing custom malware and novel attack paths, these threat actors aren’t doing anything particularly sophisticated to get into contractor systems, relying on standbys like spearphishing, brute force password cracking, credential harvesting and previously disclosed vulnerabilities. Compromising cloud environments and Microsoft 365 are among the environments they have prioritized.
“These actors take advantage of simple passwords, unpatched systems, and unsuspecting employees to gain initial access before moving laterally through the network to establish persistence and exfiltrate data,” the agencies wrote.
The agencies claim these effort have resulted in the exfiltration and theft of what is known as controlled unclassified information — data around ongoing contracts and projects that fall below short of classification but contain proprietary trade secrets that contractors are still required to secure — that has provided the Russian government with “significant insight into U.S. weapons platform development and deployment timelines, vehicle specifications and plans for communications infrastructure and information technology.”
This kind of cyberespionage is common, though the agencies say this particular campaign has been ongoing since at least January 2020 and remains ongoing today. They’re not one off or temporary either: some of the actors were in contractor networks for up to six months, and the information stolen includes data from contractors supporting the U.S. Army, Navy, Air Force, Space Force and intelligence agencies.
“Although the actors have used a variety of malware to maintain persistence, the FBI, NSA, and CISA have also observed intrusions that did not rely on malware or other persistence mechanisms,” the agencies noted. “In these cases, it is likely the threat actors relied on possession of legitimate credentials for persistence, enabling them to pivot to other accounts, as needed, to maintain access to the compromised environments.”
How best to treat controlled unclassified information remains an ongoing question that the Department of Defense has struggled to answer. On the one hand, intelligence officials and lawmakers have repeatedly criticized the overclassification of otherwise routine documents and the negative impact it has on both national security and public transparency. On the other, officials have argued for years that the relentless theft of such controlled unclassified data has contributed to the material degradation of U.S. military advantage over countries like Russia and China.
The DoD is currently attempting to set up a certification program that would provide some form of auditing over the cybersecurity practices of defense contractors. But the program, called the Cybersecurity Maturity Model Certification, has gone through multiple iterations and restarts as Pentagon officials grapple with how stringent to make the requirements.
Initially the department envisioned that the vast majority of the 200,000 to 300,000 members of the defense industrial base would need independent audits from a third party showing that they were implementing cybersecurity controls spelled out in federal contracts. That plan received substantial pushback from the contractor community, while DoD officials have fretted that the requirements could shrink the defense industrial base too much and deny the military the ability to work with small or innovative businesses.
Last year, DoD rolled out “CMMC 2.0,” which attempted to simplify the different levels of certification and allow large chunks of the contractor base to continue self-certifying that they were following digital security requirements. That plan was walked back just last week when DoD officials acknowledged that, because many contractors are expected to have some nexus to controlled unclassified information, they would almost all need independent third-party assessments after all.