CISA: Russian Actors Attacking US Defense Contractors
On February 16th, Cybersecurity and Infrastructure Security Agency (CISA) along with the FBI and the NSA issued a joint Cybersecurity advisory detailing the years long attacks on US Cleared Defense Contractors (CDCs) by Russian aligned actors.
Over the last two years CDCs, meaning a private entity granted clearance by the Department of Defense to access, receive, or store classified information for the purpose of bidding for a contract or conducting activities in support of any program of the Department of Defense, supporting all branches of the US Department of Defense, have been compromised by malicious actors.
The information targeted by these hackers includes CUI such as proprietary and export-controlled information on weapons development, communications infrastructure, and other sensitive technological and scientific areas.
The advisory listed the tactics used by these Russian hackers and they include:
Brute force techniques to identify valid account credentials for domain and M365 accounts and then use those credentials to gain initial access in networks.
Spearphishing emails with links to malicious domains, to include using methods and techniques meant to bypass virus and spam scanning tools.
Using harvested credentials used in conjunction with known vulnerabilities to escalate privileges and gain remote code executions on exposed applications.
Mapping Active Directory and connect to domain controllers, which would enable credentials to be exfiltrated.
Maintained persistent access, in multiple instances for at least six months, which is likely because the threat actors relied on possession of legitimate credentials enabling them to pivot to other accounts
These hackers have been able to access systems and grant themselves escalated privileges using some of the more well known MS365 vulnerabilities including:
CVE-2018-13379 (CVSS score: 9.8) – Path traversal vulnerability in Fortinet's FortiGate SSL VPN
CVE-2020-0688 (CVSS score: 8.8) – Microsoft Exchange validation key remote code execution vulnerability
CVE-2020-17144 (CVSS score: 8.4) – Microsoft Exchange remote code execution vulnerability
Exploiting these vulnerabilities have allowed these actors to maintain their access for six months or more while they utilize virtual private servers to exfiltrate emails and other information.
The Future of DoD Cybersecurity
There are already DoD Cybersecurity requirements for contractors and subcontractors, specified in DFARS clause 7012. The problem is the requirements rely on self-reporting a NIST SP 800-171 self-assessment and SPRS score to the DoD.
Without independent verification, this cybersecurity requirement is open to fraud and pencil whipping, which is alleged to be rampant among second tier defense contractors outside the big 4 (Raytheon, Lockheed, General Dynamics, and Northrop Grumman).
The DoD attempted to move away from the NIST self-reporting method towards the Cybersecurity Maturity Model Certification but after pushback from Defense contractors over the time and cost of implementing CMMC controls, the DoD reversed course and neutered the CMMC. Now CMMC 2.0, as it’s known, is just the NIST self-assessment under a different name.
The DoD supply chain utilizes hundreds, if not thousands, of small and medium size businesses across the US. With that large of an attack surface, the DoD supply chain remains exceptionally vulnerable as long as strict and independently verified cybersecurity controls and programs are not enforced.
Questions For You!
Is this really a problem or just media hype?
In your experience, how well do organizations manage the supply chain weak link?
Does your organization have an official vendor information security risk monitoring program?
Do you have any war stories (without naming companies) you'd like to share to help others better understand this issue?
If you have thoughts on any of these questions or other relevant and related ones, please leave a comment in the comment section below. Please note to keep our environment clean and free of advertisments of any kind, comments may not include external links, citing company names to promote them, or the like.