Cyber-snoops broke into US military contractor, stole data, hid for months
Tell us it’s Russia without telling us it’s Russia
Spies for months hid inside a US military contractor's enterprise network and stole sensitive data, according to a joint alert from the US government's Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and NSA.
The intruders somehow broke into the defense org's Microsoft Exchange Server – the Feds still aren't sure how – and rummaged through mailboxes for hours and used a compromised admin account to query Exchange via its EWS API. The snoops also ran Windows commands to learn more about the IT setup and gathered up files into archives using WinRAR.
Interestingly, the cyberattackers also used the open source network toolkit Impacket to remote-control machines on the network and move laterally. And after sneaking around some more, they used a custom data exfiltration tool called CovalentStealer to siphon off sensitive data, which included contract-related information from shared drives.
While the federal government didn't attribute the break-in to any particular gangs or nation states, a blue box at the top of CISA's security alert at one point told organizations what to do to "protect against Russian-state sponsored malicious cyber activity." That reference to Russia has since vanished.
It seems someone eventually realized something was up because from November 2021 to January 2022, CISA and a "trusted third-party" security company were called in to check over the contractor's enterprise network in an incident response. During that probe, officials found and studied malicious network activity, and determined that some unnamed crews gained initial access to the organization's Exchange Server as early as mid-January 2021.
The investigators also found that the intruders, after snooping around the network for a couple of months, exploited in March 2021 a handful of Microsoft bugs, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to install 17 China Chopper webshells on the Exchange Server.
Then between July and October 2021, the spies used the aforementioned CovalentStealer, which can identify file shares on a system, categorizes the documents, and then uploads them to a remote server.
According to the cyber and law-enforcement agencies, the intruders – described, as usual, as advanced persistent threats – maintained access to the military contractor's network through mid-January 2022, "likely" by relying on staff credentials obtained by the miscreants.
- FBI: We tracked who was printing secret documents to unmask ex-NSA suspect
- Uncle Sam orders federal agencies to step up scans for govt IT security holes
- Ukraine fears 'massive' Russian cyberattacks on power, infrastructure
- Mandiant 'highly confident' foreign cyberspies will target US midterm elections
The attackers' use of Impacket, which has legitimate uses as well as malicious ones, is significant, according to Katie Nickels, director of intelligence at Red Canary. Specifically, Impacket's wmiexec.py</line> and smbexec.py Python scripts were used by the miscreants, once in the network, to remotely control machines on the victim's network.
"Adversaries favor Impacket because it allows them to conduct various actions like retrieving credentials, issuing commands, moving laterally, and delivering additional malware onto systems," she told The Register, adding that in September, it was the fourth most prevalent threat that her firm observed.
While Impacket is relatively easy to detect with endpoint and network visibility, "it can be challenging to determine if the activity is malicious or benign without additional context and understanding of what is normal in an environment," she said.
CISA, FBI and NSA also thanked Google's Mandiant for its contributions to the security alert. ®