Russia 'stole US defense data' from IT systems

Clearly no need for leet zero-day hax when you can spearphish and exploit months-old vulnerabilities


A two-year campaign by state-sponsored Russian entities to siphon information from US defense contractors worked, it is claimed.

Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday said Moscow's cyber-snoops have obtained "significant insight into US weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology."

The Agency added that the intruders made off with sensitive and unclassified email and documents as well as data on proprietary and export-controlled technology.

CISA's announcement and an accompanying report [PDF] state that it, the FBI, and the NSA have all spotted "regular targeting" of contractors that serve the US Department of Defense, intelligence agencies, and all branches of the US military other than the Coast Guard. Contractors serving the US Space Force, which was founded in 2019, were also targeted.

The campaign started in "at least" January 2020 and ran until February 2022. Apropos of nothing, 150,000 Russian troops have gathered near Ukraine's borders, and American officials believe an invasion is imminent. Russia says it's not going to do that, and world leaders are trying diplomacy to defuse the situation.

Attackers changed permissions to give read access to all SharePoint pages

Whoever broke into the US defense contractors' systems did not use novel tactics, it is said. The Kremlin-backed cyber-attackers' weapons of choice were established techniques such as spearphishing, credential harvesting, brute forcing of passwords, and exploiting known vulnerabilities, according to CISA.

The attackers prioritized efforts to target Microsoft 365 – the Windows giant's suite of productivity apps and complementary cloud services, we're told.

Obtaining legitimate M365 credentials appears to have been the jackpot for the intruders, who used them to maintain a presence inside defense contractors for months at a time. Those infiltrations often went undetected.

One successful attack involved miscreants scoring valid credentials to a global admin account within an M365 tenant and using it "to change permissions of an existing enterprise application to give read access to all SharePoint pages in the environment, as well as tenant user profiles and email inboxes."

Other attackers focused on CVE-2018-13379, a flaw in Fortinet's FortiGate SSL VPN disclosed in May 2019. Yes, that means defense contractors were running unpatched kit at least seven months after the alarm was raised over a bug rated 9.8/10 on the Common Vulnerability Scoring System.

CISA's response is a long list of security controls and practices it wants defense contractors to observe, some of which – such as an exhortation to "initiate a software and patch management program" – surely cannot be news to any competent manager, governance officer, or IT professional, never mind someone working in such roles at a defense contractor.

Other basic guidance includes running antivirus software, enforcing use of strong passwords, and adopting multi-factor authentication. Enforcing the principle of least privilege is also recommended.

There's also some more specific advice that's perhaps excusably not in place at some organisations – such as implementing central log management and correlating M365 logs with output from security appliances.

Contractors' suppliers are also in the frame, as CISA's guidance calls for a review of trust relationships including with managed service providers and cloud service providers.

Whether US defense and intelligence organisations are also reviewing their trust relationships with suppliers that did not perform basic infosec hygiene is not discussed in the document.

CISA's not certain it has got to the bottom of the situation. Its disclosure dangles a $10 million reward for further information on Russian infiltration activity. ®


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • What to do about inherent security flaws in critical infrastructure?
    Industrial systems' security got 99 problems and CVEs are one. Or more

    The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure. 

    But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.

    "Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."

    Continue reading

Biting the hand that feeds IT © 1998–2022