Posted on Wednesday February 16, 2022
Original release date: February 16, 2022Actions to Help Protect Against Russian State-Sponsored Malicious Cyber Activity:
• Enforce multifactor authentication.
• Enforce strong, unique passwords.
• Enable M365 Unified Audit Logs.
• Implement endpoint detection and response tools.
From at least January 2020, through February 2022, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) have observed regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors. The actors have targeted both large and small CDCs and subcontractors with varying levels of cybersecurity protocols and resources. These CDCs support contracts for the U.S. Department of Defense (DoD) and Intelligence Community in the following areas:
Historically, Russian state-sponsored cyber actors have used common but effective tactics to gain access to target networks, including spearphishing, credential harvesting, brute force/password spray techniques, and known vulnerability exploitation against accounts and networks with weak security. These actors take advantage of simple passwords, unpatched systems, and unsuspecting employees to gain initial access before moving laterally through the network to establish persistence and exfiltrate data.
In many attempted compromises, these actors have employed similar tactics to gain access to enterprise and cloud networks, prioritizing their efforts against the widely used Microsoft 365 (M365) environment. The actors often maintain persistence by using legitimate credentials and a variety of malware when exfiltrating emails and data.
These continued intrusions have enabled the actors to acquire sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology. The acquired information provides significant insight into U.S. weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology. By acquiring proprietary internal documents and email communications, adversaries may be able to adjust their own military plans and priorities, hasten technological development efforts, inform foreign policymakers of U.S. intentions, and target potential sources for recruitment. Given the sensitivity of information widely available on unclassified CDC networks, the FBI, NSA, and CISA anticipate that Russian state-sponsored cyber actors will continue to target CDCs for U.S. defense information in the near future. These agencies encourage all CDCs to apply the recommended mitigations in this advisory, regardless of evidence of compromise.
For additional information on Russian state-sponsored cyber activity, see CISA's webpage, Russia Cyber Threat Overview and Advisories.
Click here for a PDF version of this report.
Russian state-sponsored cyber actors have targeted U.S. CDCs from at least January 2020, through February 2022. The actors leverage access to CDC networks to obtain sensitive data about U.S. defense and intelligence programs and capabilities. Compromised entities have included CDCs supporting the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and DoD and Intelligence programs.
During this two-year period, these actors have maintained persistent access to multiple CDC networks, in some cases for at least six months. In instances when the actors have successfully obtained access, the FBI, NSA, and CISA have noted regular and recurring exfiltration of emails and data. For example, during a compromise in 2021, threat actors exfiltrated hundreds of documents related to the company’s products, relationships with other countries, and internal personnel and legal matters.
Through these intrusions, the threat actors have acquired unclassified CDC-proprietary and export-controlled information. This theft has granted the actors significant insight into U.S. weapons platforms development and deployment timelines, plans for communications infrastructure, and specific technologies employed by the U.S. government and military. Although many contract awards and descriptions are publicly accessible, program developments and internal company communications remain sensitive. Unclassified emails among employees or with government customers often contain proprietary details about technological and scientific research, in addition to program updates and funding statuses. See figures 1 and 2 for information on targeted customers, industries, and information.
Figure 1. Targeted Industries
Figure 2. Exfiltrated Information
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 10. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques. See the Tactics, Techniques, and Procedures (TTPs) section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.
Russian state-sponsored cyber actors use brute force methods, spearphishing, harvested credentials, and known vulnerabilities to gain initial access to CDC networks.
After gaining access to networks, the threat actors map the Active Directory (AD) and connect to domain controllers, from which they exfiltrate credentials and export copies of the AD database ntds.dit [T1003.003]. In multiple instances, the threat actors have used Mimikatz to dump admin credentials from the domain controllers.
Using compromised M365 credentials, including global admin accounts, the threat actors can gain access to M365 resources, including SharePoint pages [T1213.002], user profiles, and user emails [T1114.002].
The threat actors routinely use virtual private servers (VPSs) as an encrypted proxy. The actors use VPSs, as well as small office and home office (SOHO) devices, as operational nodes to evade detection [T1090.003].
In multiple instances, the threat actors maintained persistent access for at least six months. Although the actors have used a variety of malware to maintain persistence, the FBI, NSA, and CISA have also observed intrusions that did not rely on malware or other persistence mechanisms. In these cases, it is likely the threat actors relied on possession of legitimate credentials for persistence [T1078], enabling them to pivot to other accounts, as needed, to maintain access to the compromised environments.
The following table maps observed Russian state-sponsored cyber activity to the MITRE ATT&CK for Enterprise framework. Several of the techniques listed in the table are based on observed procedures in contextual order. Therefore, some of the tactics and techniques listed in their respective columns appear more than once. See Appendix A for a functional breakdown of TTPs. Note: for specific countermeasures related to each ATT&CK technique, see the Enterprise Mitigations section and MITRE D3FEND™.
Table 1: Observed Tactics, Techniques, and Procedures (TTPs)
| Tactic | Technique | Procedure |
|---|---|---|
|
Reconnaissance [TA0043] Credential Access [TA0006] |
Gather Victim Identity Information: Credentials [T1589.001] Brute Force [T1110] |
Threat actors used brute force to identify valid account credentials for domain and M365 accounts. After obtaining domain credentials, the actors used them to gain initial access. |
| Initial Access [TA0001] | External Remote Services [T1133] | Threat actors continue to research vulnerabilities in Fortinet’s FortiGate VPN devices, conducting brute force attacks and leveraging CVE-2018-13379 to gain credentials to access victim networks. [2] |
|
Initial Access [TA0001] Privilege Escalation [TA0004] |
Valid Accounts [T1078] Exploit Public-Facing Application [T1190] |
Threat actors used credentials in conjunction with known vulnerabilities on public-facing applications, such as virtual private networks (VPNs)—CVE-2020-0688 and CVE-2020-17144—to escalate privileges and gain remote code execution (RCE) on the exposed applications. [3] |
|
Initial Access [TA0001]
|
Phishing: Spearphishing Link [T1566.002] Obfuscated Files or Information [T1027] |
Threat actors sent spearphishing emails using publicly available URL shortening services. Embedding shortened URLs instead of the actor-controlled malicious domain is an obfuscation technique meant to bypass virus and spam scanning tools. The technique often promotes a false legitimacy to the email recipient and thereby increases the possibility that a victim clicks on the link. |
|
Initial Access [TA0001]
|
OS Credential Dumping: NTDS [T1003.003] Valid Accounts: Domain Accounts [T1078.002] |
Threat actors logged into a victim’s VPN server and connected to the domain controllers, from which they exfiltrated credentials and exported copies of the AD database ntds.dit. |
|
Initial Access [TA0001] Privilege Escalation [TA0004] Collection [TA0009] |
Valid Accounts: Cloud Accounts [T1078.004] Data from Information Repositories: SharePoint [T1213.002] |
In one case, the actors used valid credentials of a global admin account within the M365 tenant to log into the administrative portal and change permissions of an existing enterprise application to give read access to all SharePoint pages in the environment, as well as tenant user profiles and email inboxes. |
|
Initial Access [TA0001] Collection [TA0009] |
Valid Accounts: Domain Accounts [T1078.002] Email Collection [T1114] |
In one case, the threat actors used legitimate credentials to exfiltrate emails from the victim's enterprise email system. |
|
Persistence [TA0003] Lateral Movement [TA0008] |
Valid Accounts [T1078] | Threat actors used valid accounts for persistence. After some victims reset passwords for individually compromised accounts, the actors pivoted to other accounts, as needed, to maintain access. |
| Discovery [TA0007] | File and Network Discovery [T1083] | After gaining access to networks, the threat actors used BloodHound to map the Active Directory. |
| Discovery [TA0007] | Domain Trust Discovery [T1482] | Threat actors gathered information on domain trust relationships that were used to identify lateral movement opportunities. |
| Command and Control [TA0011] | Proxy: Multi-hop Proxy [T1090.003] | Threat actors used multiple disparate nodes, such as VPSs, to route traffic to the target. |
The FBI, NSA, and CISA urge all CDCs to investigate suspicious activity in their enterprise and cloud environments. Note: for additional approaches on uncovering malicious cyber activity, see joint advisory Technical Approaches to Uncovering and Remediating Malicious Activity, authored by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.
Implement robust log collection and retention. Robust logging is critical for detecting unusual activity. Without a centralized log collection and monitoring capability, organizations have limited ability to investigate incidents or detect the threat actor behavior described in this advisory. Depending on the environment, tools and solutions include:
ntds.dit file from a domain controller. Organizations with evidence of compromise should assume full identity compromise and initiate a full identity reset.
Note: for guidance on evicting advanced persistent threat (APT) actors from cloud and enterprise environments, refer to CISA Analysis Report Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/Microsoft 365 (M365) Compromise. Although this guidance was drafted for federal agencies compromised by the Russian Foreign Intelligence Service (SVR) via the SolarWinds Orion supply chain compromise, the steps provided in the Eviction Phase are applicable for all organizations crafting eviction plans for suspected APT actors.
The FBI, NSA, and CISA encourage all CDCs, with or without evidence of compromise, to apply the following mitigations to reduce the risk of compromise by this threat actor. While these mitigations are not intended to be all-encompassing, they address common TTPs observed in these intrusions and will help to mitigate against common malicious activity.
In addition to setting up centralized logging, organizations should:
To assist with identifying suspicious behavior with administrative accounts:
Note: review CISA’s page on APTs Targeting IT Service Provider Customers and CISA Insights: Mitigations and Hardening Guidance for MSPs and Small and Mid-sized Businesses for additional recommendations for MSP and CSP customers.
With the increase in remote work and use of VPN services due to COVID-19, the FBI, NSA, and CISA encourage regularly monitoring remote network traffic, along with employing the following best practices. Note: for additional information, see joint NSA-CISA Cybersecurity Information Sheet: Selecting and Hardening Remote Access VPN Solutions.
Cyber actors frequently use unsophisticated methods to gain initial access, which can often be mitigated by stronger employee awareness of indicators of malicious activity. The FBI, NSA, and CISA recommend the following best practices to improve employee operational security when conducting business:
If you have information on state-sponsored Russian cyber operations targeting U.S. critical infrastructure, contact the Department of State’s Rewards for Justice Program. You may be eligible for a reward of up to $10 million, which the Department is offering for information leading to the identification or location of any person who, while acting under the direction or control of a foreign government, participates in malicious cyber activity against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA). Contact (202) 702-7843 on WhatsApp, Signal, or Telegram, or send information via the Rewards for Justice secure Tor-based tips line located on the Dark Web. For more details, refer to rewardsforjustice.net.
The information you have accessed or received is being provided “as is” for informational purposes only. The FBI, NSA, and CISA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the FBI, NSA, or CISA.
To report suspicious activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field-offices or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.gov. For NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at (410) 854-4200 or Cybersecurity_Requests@nsa.gov. Defense Industrial Base companies may additionally sign up for NSA’s free cybersecurity services, including Protective DNS, vulnerability scanning, and threat intelligence collaboration at dib_defense@cyber.nsa.gov.
Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. The adversary is known for harvesting login credentials [T1589.001].[17]
| ID | Name | Description |
|---|---|---|
| T1589.001 | Gather Victim Identity Information: Credentials | Adversaries may gather credentials that can be used during targeting. |
Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. For example, the adversary may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion [T1078].[18] These specific actors obtained and abused credentials of domain [T1078.002] and cloud accounts [T1078.004].[19] The actors also used external remote services to gain access to systems [T1133].[20] The adversary took advantage of weaknesses in internet-facing servers and conducted SQL injection attacks against organizations' external websites [T1190].[21] Finally, they sent spearphishing emails with a malicious link in an attempt to gain access [T1566.002].[22]
| ID | Name | Description |
|---|---|---|
| T1078 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access. |
| T1078.002 | Valid Accounts: Domain Accounts | Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. |
| T1078.004 | Valid Accounts: Cloud Accounts | Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. |
| T1133 | External Remote Services | Adversaries may leverage external-facing remote services to initially access and/or persist within a network. |
| T1190 | Exploit Public-Facing Application | Adversaries may attempt to take advantage of a weakness in an internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. |
| T1566.002 | Phishing: Spearphishing Link | Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. |
Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. The adversary obtains and abuses credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion [T1078].[23]
| ID | Name | Description |
|---|---|---|
| T1078 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. |
Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. The adversary obtains and abuses credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion [T1078].[24] Specifically in this case, credentials of cloud accounts [T1078.004] were obtained and abused.[25]
| ID | Name | Description |
|---|---|---|
| T1078 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access. |
| T1078.004 | Valid Accounts: Cloud Accounts | Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. |
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. The adversary made its executables and files difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit [T1027].[26]
| ID | Name | Description |
|---|---|---|
| T1027 | Obfuscated Files or Information | Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. |
Credential Access consists of techniques for stealing credentials like account names and passwords. The adversary attempted to access or create a copy of the Active Directory (AD) domain database to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights [T1003.003].[27] The adversary also used a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials [T1110.003].[28]
| ID | Name | Description |
|---|---|---|
| T1003.003 | OS Credential Dumping: NTDS | Adversaries may attempt to access or create a copy of the Active Directory domain database to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. |
| T1110.003 | Brute Force: Password Spraying | Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. |
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. The adversary enumerated files and directories or searched in specific locations of a host or network share for certain information within a file system [T1083].[29] In addition, the adversary attempted to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain or forest environments [T1482].[30]
| ID | Name | Description |
|---|---|---|
| T1083 | File and Directory Discovery | Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. |
| T1482 | Domain Trust Discovery | Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. |
Collection [TA0009]
Collection consists of both the techniques adversaries may use to gather information and the sources that information is collected from that are relevant to the adversary's objectives. The adversary leverages information repositories, such as SharePoint, to mine valuable information [T1213.002].[31]
| ID | Name | Description |
|---|---|---|
| T1213.002 | Data from Information Repositories: SharePoint | Adversaries may leverage the SharePoint repository as a source to mine valuable information. |
Command and Control [TA0011]
Command and Control (C2) consists of techniques that adversaries may use to communicate with systems under their control within a victim network. The adversary chained together multiple proxies to disguise the source of malicious traffic. In this case, TOR and VPN servers are used as multi-hop proxies to route C2 traffic and obfuscate their activities [T1090.003].[32]
| ID | Name | Description |
|---|---|---|
| T1090.003 | Proxy: Multi-hop Proxy | To disguise the source of malicious traffic, adversaries may chain together multiple proxies. |
[1] NSA, CISA, FBI, NCSC Cybersecurity Advisory: Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments, 1 July 2021.
[2] NSA Cybersecurity Advisory: Mitigating Recent VPN Vulnerabilities, 7 October 2019.
[3] NSA, CISA, FBI, NCSC Cybersecurity Advisory: Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments, 1 July 2021.
[4] Microsoft Article: AD Forest Recovery – Resetting the krbtgt password, 29 July 2021.
[5] Microsoft GitHub: New-KrbtgtKeys.ps1, 14 May 2020.
[6] NSA Cybersecurity Information: Defend Privileges and Accounts, August 2019.
[7] Microsoft Article: Group Managed Service Accounts Overview, 29 July 2021.
[8] NSA Cybersecurity Information: Leverage Modern Hardware Security Features, August 2019.
[9] Microsoft Article: Protect derived domain credentials with Windows Defender Credential Guard, 3 December 2021.
[10] Microsoft Article: Windows Defender Credential Guard protection limits, 3 December 2021.
[11] Microsoft Article: Windows 11 requirements, 30 November 2021.
[12] Microsoft Blog Post: The Importance of KB2871997 and KB2928120 for Credential Protection, 20 September 2021.
[13] Microsoft Article: What’s New in Credential Protection, 7 January 2022.
[14] NSA Cybersecurity Factsheet: PowerShell: Security Risks and Defenses, 1 December 2016.
[15] NSA Cybersecurity Information: Update and Upgrade Software Immediately, August 2019.
[16] NSA Cybersecurity Information: Actively Manage Systems and Configurations, August 2019.
[17] MITRE Groups: APT28, 18 October 2021.
[18] MITRE Groups: APT28, 18 October 2021.
[19] MITRE Software: Cobalt Strike, 18 October 2021.
[20] Based on technical information shared by Mandiant.
[21] MITRE Groups: APT28, 18 October 2021.
[22] Based on technical information shared by Mandiant.
[23] MITRE Groups: APT28, 18 October 2021.
[24] MITRE Groups: APT28, 18 October 2021.
[25] MITRE Software: Cobalt Strike, 18 October 2021.
[26] MITRE Software: Fysbis, 6 November 2020.
[27] MITRE Software: Koadic, 30 March 2020.
[28] MITRE Groups: APT28, 18 October 2021.
[29] Based on technical information shared by Mandiant.
[30] Based on technical information shared by Mandiant.
[31] MITRE Groups: APT28, 18 October 2021.
[32] MITRE Groups: APT28, 18 October 2021.
This product is provided subject to this Notification and this Privacy & Use policy.
Phone: +1-989-776-2080
Toll Free: +1-855-674-2968
Email: info (at) netservicesgroup dot com
DUNS 155892800
SPIN 143027933
100% Michigan
NSG is owned & operated, offering enterprise-level IT service & support, right in your own back yard.