Russian Nation-Backed Adversaries are Targeting the US Government Contractors: CISA Warning

On February 16, 2022, Cybersecurity and Infrastructure Security Agency (CISA) disclosed the latest intelligence information about Russia-linked cyber-attacks on the US Cleared Defense Contractors (CDCs) that have been in operation for at least two years now. The targeted CDCs had access to a variety of sensitive data sources, including weapons development, surveillance data, communication lines, and software specifications. The known victims include the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and DoD and Intelligence programs.

The FBI, CISA, and NSA emphasize the importance of protecting Cleared Defense Contractor Networks against potential Russian cyber-attacks. We’ve gathered the latest detection content available in SOC Prime’s platform right now so you can ensure the timely mitigation of the abovementioned attacks in your organization.

Russia-Linked Cyber Espionage Campaign: Insights and Risks

According to CISA, the primary goal of Russian state-sponsored malicious cyber activity is to gain access to military plans and priorities of the US government. As a result, they can improve their own technological development efforts or even try to recruit the victims that they target.

The alleged persistent access to a multitude of CDC networks has been maintained since at least January 2020, with regular exfiltration of the sensitive data from documentation and emails. The commonly used Microsoft 365 suite of services has been the most frequent target. Adversaries mostly exploit the known vulnerabilities for leveraging credential harvesting, brute force attacks, and spear phishing. While the applied attackers’ TTPs are not uncommon, the alarming fact is that hackers use a wide variety of malware strains that can only be identified by continuously deploying the latest detection rules.

The US government agencies assume that state-sponsored threat actors from Russia will continue their intrusion attempts to target the Defense Contractor Networks in the nearest future. Therefore, it is advised that CDCs apply the most advanced cyber defense measures to withstand the possibly ongoing attack as well as future attempts.

Detect and Mitigate Potential Russian Cyber-Attacks

To detect the malicious activity associated with the Russian state-sponsored actors and increase the awareness of potential threats, you can leverage curated detection content already available in SOC Prime’s platform. The table below (provided by CISA) lists common tactics, techniques, and procedures (TTPs) used by Russian nation-backed actors in the course of attacks against the US contractors and offers a batch of Sigma rules addressing adversary TTPs.




Detection Content from SOC Prime’s Platform

Reconnaissance (TA0043)

Credential Access (TA0006)

Gather Victim Identity Information: Credentials (T1589.001)

Brute Force (T1110)

Adversaries have applied brute force to identify legitimate account credentials for domain and Microsoft 365 accounts. Compromised credentials have enabled threat actors to get initial access to target networks.

Initial Access (TA0001)

External Remote Services (T1133)

Multiple nation-state APT groups have scanned for vulnerabilities in Fortinet’s Fortigate® VPN devices, conducting brute force attacks and weaponizing CVE-2018-13379 to receive credentials and gain access to compromised networks.

Initial Access (TA0001)

Privilege Escalation (TA0004)

Valid Accounts (T1078)

Exploit Public-Facing Application (T1190)

Attackers have taken advantage of identified account credentials and exploited vulnerabilities (CVE-2020-0688 and CVE-2020-17144) on VPNs and Microsoft Exchange servers to gain remote code execution and acquire further network access.

Initial Access (TA0001)

Defense Evasion (TA0005)

Phishing: Spearphishing Link (T1566.002)

Obfuscated Files or Information (T1027)

Cybercriminals have conducted targeted spear-phishing email campaigns through publicly accessible URL shortening tools. Leveraging this common obfuscation technique enabled threat actors to bypass malware and spam scanning tools while encouraging users to click the shortened link.

Initial Access (TA0001)

Credential Access (TA0006)

OS Credential Dumping: NTDS (T1003.003)

Valid Accounts: Domain Accounts (T1078.002)

Nation-state cybercriminals have obtained or abused credentials to access the targeted VPN server and obtain privileged access to the domain controller. Once compromised, threat actors may attempt to dump credentials from the targeted domain controller and make a copy of the Active Directory domain database leveraging the NTDS file (NTDS.dit).

Initial Access (TA0001)

Privilege Escalation (TA0004)

Collection (TA0009)

Valid Accounts: Cloud Accounts (T1078.004)

Data from Information Repositories: SharePoint (T1213.002)

Adversaries have leveraged legitimate credentials of a global Microsoft 365 admin account to access the administrative portal and update permissions providing read access to all SharePoint pages within the tenant, as well as tenant user profiles and email inboxes.

Initial Access (TA0001)

Collection (TA0009)

Valid Accounts: Domain Accounts (T1078.002)

Email Collection (T1114)

For instance, in one of the cases, cybercriminals have applied valid credentials to exfiltrate mailboxes from the victims’ accounts.

In another case, attackers have gained access to email credentials in order to collect sensitive data.

Persistence (TA0003) 

Lateral Movement (TA0008)

Valid Accounts (T1078)

Attackers have abused legitimate credentials to maintain persistent access to compromised accounts. Once some account passwords have been changed by the users, adversaries have pivoted across other accounts in the system to compromise them.

Discovery (TA0007)

File and Network Discovery (T1083)

Threat actors have accessed the targeted network and leveraged the BloodHound tool to map out relationships to the Active Directory domain.

Command and Control (TA0011)

Proxy: Multi-hop Proxy (T1090.003)

Attackers have applied multiple nodes to route traffic to the target.

Join our SOC Prime’s Detection as Code platform right now and benefit from the worldwide collaboration of cybersecurity professionals to stay ahead of constantly emerging threats. If you’re a content developer, apply to join the SOC Prime Threat Bounty Program, submit your original Sigma and Yara rules, pass the quality check to get your content published via SOC Prime’s platform, and receive repeated payouts.

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts