Today, the Cybersecurity and Infrastructure Security Agency (CISA) in conjunction with the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) issued a warning to all cleared defense contractors that their networks were being actively targeted by Russian state-sponsored actors in an effort to obtain sensitive defense information and technologies. The CISA Alert AA22-047A, goes on to highlight how size is not a determinate of Russian targeting, that both small and large cleared defense contractors (CDC) are being targeted within both the DoD and Intelligence Community.
Those technologies and support efforts involving CDC’s in the following areas, are specifically being targeted, per this Alert.
- Command, control, communications, and combat systems;
- Intelligence, surveillance, reconnaissance, and targeting;
- Weapons and missile development;
- Vehicle and aircraft design; and
- Software development, data analytics, computers, and logistics
To date, CISA advises CDC entities “supporting the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and DoD and Intelligence programs” have been compromised during the sustained efforts of the Russian state-sponsored actors over the course of the past two years (January 2020 through February 2022). The level of compromise has included maintaining a persistent presence in some networks, for as long a six months. Investigatory efforts by the FBI, NSA, and CISA have been able to document the “recurring exfiltration of emails and data.”
CISO and FSO guidance
CISOs and FSOs should familiarize themselves with the Tactics, Techniques, and Procedures (TTP) of the adversaries and apply the Alert’s recommendations to their own environment. Emphasis was made on how the Russian actors use a number of techniques to obtain credentials, to include spear-phishing and credential harvesting and then use brute force to locate valid account credentials. Driving home the need for use of unique credentials and multi-factor authentication on both classified and unclassified networks.
Employees should be reminded that even though unclassified internal communications may not contained “classified” information, such emails may include proprietary or otherwise sensitive information which has no business being in the hands of Russia or any other adversarial nation. To that end, remind employees that they do not get to decide if they are the adversary’s target, that determination is dictated by the adversary. Therefore, it is of the utmost importance that sound cyber hygiene practices be in place and followed.
While the Alert highlights industrial sectors associated with Weapons and Missile Development, Vehicle and Aircraft Design, Software Development and Information Technology, Data Analysis, and Logistics, the threat from the Russian cyber actors are not limited to those sectors. Similarly, CDC community’s wealth of sensitive information which is included in unclassified communications have see adversaries display interest in acquiring email, contract details, product development, tests and timelines, foreign partnerships, and funding.
Director of CISA, Jen Easterly, highlighted today’s warning with a well-timed Tweet, where she urged “#shieldsup”
#ShieldsUp: We continue to observe malicious activity by Russian state-sponsored cyber actors targeting U.S. critical infrastructure and cleared defense contractors. Learn more in our advisory with our teammates @FBI & @NSACyber: https://t.co/SbIhPGtNLO pic.twitter.com/QJgwmO7eDt
— Jen Easterly🛡️ (@CISAJen) February 16, 2022
In closing the Alert highlights four “must” actions to protect against the Russian state-sponsored efforts.
- Enforce multifactor authentication
- Enforce strong, unique passwords
- Enable M365 unified audit logs
- Implement endpoint detection and response tools
Download the 19-page pdf of the joint cybersecurity advisory, February 16, 2022, AA22-047A