H-ISAC TLP White: Threat Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive US Defense Info

From at least January 2020 through February 2022, the United States Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) have observed regular targeting of US cleared defense contractors (CDCs) by Russian state-sponsored cyber actors. The actors have targeted both large and small CDCs and subcontractors with varying levels of cybersecurity protocols and resources.

These CDCs support contracts for the U.S. Department of Defense (DoD) and Intelligence Community in the following areas:

• Command, control, communications, and combat systems.
• Intelligence, surveillance, reconnaissance, and targeting.
• Weapons and missile development.
• Vehicle and aircraft design.
• Software development, data analytics, computers, and logistics.

Historically, Russian state-sponsored cyber actors have used common but effective tactics to gain access to target networks, including spearphishing, credential harvesting, brute force/password spray techniques, and known vulnerability exploitation against accounts and networks with weak security. These actors take advantage of simple passwords, unpatched systems, and unsuspecting employees to gain initial access before moving laterally through the network to establish persistence and exfiltrate data.

In many attempted compromises, these actors have employed similar tactics to gain access to enterprise and cloud networks, prioritizing their efforts against the widely used Microsoft 365 (M365)environment. The actors often maintain persistence by using legitimate credentials and a variety of malware when exfiltrating emails and data.

These continued intrusions have enabled the actors to acquire sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology. The acquired information provides significant insight into US weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology. By acquiring proprietary internal documents and email communications, adversaries may be able to adjust their own military plans and priorities, hasten technological development efforts, inform foreign policymakers of US intentions, and target potential sources for recruitment. Given the sensitivity of information widely available on unclassified CDC networks, the FBI, NSA, and CISA anticipate that Russian state-sponsored cyber actors will continue to target CDCs for US defense information in the near future. These agencies encourage all CDCs and related organizations to apply the recommended mitigations in this advisory, regardless of evidence of compromise.

Health-ISAC is releasing this TLP:WHITE advisory for members’ increased security awareness, as increased geopolitical tensions, could directly, or indirectly, affect security and business operations within your own environment, as well as third and fourth-party entities that provide services to your healthcare organization. Health-ISAC has also released a separate report on Russian state-sponsored 

cyber-threats to US critical infrastructure entities, with additional details and recommendations, which can be accessed here. Health-ISAC has also disseminated a member survey inquiring about member preparedness and observations regarding a recent Ukrainian cyber-attack. The full statistical report, with additional strategic analysis, can be accessed here.

View the detailed report, including the full, original TLP:WHITE Joint Cyber Security Advisory below.