FBI, CISA, and NSA Reveal How Hackers Targeted a Defense Industrial Base Organization
U.S. cybersecurity and intelligence agencies on Tuesday disclosed that multiple nation-state hacking groups potentially targeted a “Defense Industrial Base (DIB) Sector organization’s enterprise network” as part of a cyber espionage campaign.
“[Advanced persistent threat] actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data,” the authorities said.
The joint advisory, which was authored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA), said the adversaries likely had long-term access to the compromised environment.
The findings are the result of CISA’s incident response efforts in collaboration with cybersecurity company Mandiant from November 2021 through January 2022. It did not attribute the intrusion to a known threat actor or group.
The initial infection vector used to breach the network is also unknown, although some of the APT actors are said to have obtained a digital beachhead to the target’s Microsoft Exchange Server as early as mid-January 2021.
Subsequent post-exploitation activities in February entailed a mix of reconnaissance and data collection efforts, the latter of which resulted in the exfiltration of sensitive contract-related information. Also deployed during this phase was the Impacket tool to establish persistence and facilitate lateral movement.
A month later, the APT actors exploited ProxyLogon flaws in Microsoft Exchange Server to install 17 China Chopper web shells and HyperBro, a backdoor exclusively used by a Chinese threat group called Lucky Mouse (aka APT27, Bronze Union, Budworm, or Emissary Panda).
The intruders, from late July through mid-October 2021, further employed a bespoke malware strain called CovalentStealer against the unnamed entity to siphon documents stored on file shares and upload them to a Microsoft OneDrive cloud folder.
Organizations are recommended to monitor logs for connections from unusual VPNs, suspicious account use, anomalous and known malicious command-line usage, and unauthorized changes to user accounts.