The US Cybersecurity and Infrastructure Security Agency (CISA) released an advisory this morning discussing an ongoing effort by Russian state-sponsored cyber actors regularly targeting both large and small cleared defense contractors (CDCs) with “varying levels of cybersecurity protocols and resources.” The campaign is described as initiating at least as early as January 2020 and continuing through February 2022, according to evidence available to CISA as well as the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA). The attacks utilize a number of techniques including spearphishing, credential harvesting, brute force and password spray attacks, and exploitation of known vulnerabilities. CISA emphasized the role of simple passwords, unpatched systems, and low employee cyber security awareness in its advisory.
State-sponsored activity regularly includes a long dwell time of 6 months or more. Such threat actors focus on espionage and reconnaissance, as well as the maintenance of persistent access in order to potentially militate cyber-warfare or cyber-terrorism missions. These activities are not restricted solely to CDCs or other organizations of direct interest to a state-sponsored threat group. Smaller or unrelated organizations are often first targeted to exploit trust relationships, including email trust relationships as well as supply chain relationships. For example, a vending machine supplier may be compromised in order to deliver a maliciously crafted invoice that a targeted employee may be more likely to trust in a phishing attack. Therefore, it is important to understand the wide scope of such activities and the threat these campaigns represent to all organizations with activity in the US.