The Cybersecurity and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have issued a Joint Advisory after observing the regular and persistent targeting of United States cleared defense contractors (CDCs) by Russian state-sponsored cyber threat actors. The targeted CDCs have contracts supporting the U.S. Department of Defense and Intelligence agencies in areas to include: command, control, communications, and combat systems; intelligence, surveillance, reconnaissance, and targeting; weapons and missile development; vehicle and aircraft design; and software development, data analytics, computers, and logistics.
In the past state-sponsored Russian cyber threat actors used common techniques to access the targeted networks. These include credential harvesting, brute force/password spray techniques, spear phishing, and the use of known vulnerability exploitation against accounts and networks with weak security. These threat actors take advantage of simple and unchanged default passwords, unpatched systems, and unsuspecting and potentially socially engineered employees to gain initial access. Once access is obtained then the threat actors can begin moving laterally through the network to establish persistence, exfiltrate data, and cause harm in many other ways. These same cyber threat actors have employed very similar tactics to gain unauthorized access to enterprise and cloud networks with a focus on leveraging their expertise in attacking Microsoft Office 365 environments.
These network intrusions and subsequent data breaches have enabled the actors to acquire sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology. The acquired information is still highly sensitive. It provides significant data on U.S. weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology.
This information may help adversaries to adjust their own military plans and priorities, hasten technological development efforts, inform foreign policymakers of U.S. intentions, and target potential sources for recruitment. Given the sensitivity of information widely available on unclassified CDC networks, the FBI, NSA, and CISA anticipate that Russian state-sponsored cyber actors will continue to target CDCs for U.S. defense information. The Joint Advisory has provided recommended mitigations.
High level actions to help protect against these Russian state-sponsored cyber threat actors activity include:
- Enforce multi factor authentication.
- Enforce strong, unique passwords.
- Enable Microsoft Office 365 Unified Audit Logs.
- Implement endpoint detection and response tools.
There is highly detailed information in the Joint Alert including:
- Threat details on the targeted industries and assessed motive.
- Threat actor activity as defined using the MITRE ATT&CK framework with detailed specification of the specific tactics, techniques, and procedures (TTPs) employed.
- Detection best practices around anomalous activity and evidence of known TTPs.
- Incident response and remediation best practices including password resets on *all* local accounts.
- Mitigations to include credential hardening, centralized log management, better and faster software and patch management programs, antivirus programs, the use of EDR tools, configuration management programs, the principle of least privileges, review of trusted relationships, work environment best practices, user awareness best practices.
The use of MITRE ATT&CK provides you data from a well understood taxonomy of the activities of threat actors so that you can, in turn, validate that your environment is protected against these techniques. If not adequately protected, then your team can prioritize the required mitigations to shut down these attack vectors.
DNS security is also an important part of any defense.
DNS gives you an opportunity to know and control what resources a user is accessing on the network. DNS can provide the earliest indicators of a user’s true intent. BloxOne® Threat Defense, the DNS security solution from Infoblox, along with DNS, DHCP, IPAM (DDI) provide deep visibility to activity, including which network assets are accessing which destinations, where compromised devices are on the network and when new devices join the network. BloxOne Threat Defense Foundational Security is an essential control point and can be a critical part of your intelligence gathering and defensive measures.
BloxOne Threat Defense helps protect users, devices, and systems across your on-premises/HQ, cloud workloads, remote locations, and teleworking environments. BloxOne Threat Defense can protect against phishing, exploits, ransomware and other dangerous modern malware.
Let us remember that DDI functions are core and critical network services. Absolutely nothing can happen within your networks if a device has no IP address and cannot query for domains. Using DDI, you know who and what is on your network and the services are being accessed. DDI data is a critical part of your first first line of defense against state-sponsored Russian threat actors or any other party with malicious intent.
Looking at this more closely, also remember that DHCP is the first step in the DDI chain. Before a device can access anything on a network, it must request and be granted an IP address using DHCP. Once this happens the server has a record, also called a “lease,” that ties that device based upon its MAC address to the granted IP address. DHCP links an IP address to a device and unlocks all of the metadata associated with the DHCP process.
DNS is the second step in the DDI chain. DNS knows the service that is being accessed based on the domain for which the user traffic is destined. Envision this as a security stack where you have devices (and associated metadata), IP, and now data about the traffic destinations.
IPAM provides the unification of all of this data. You can use IPAM to improve your defenses across the board. IPAM is the authoritative inventory for all devices on the network. IPAM is one place any host, subnet, server, or service VIP is defined, tracked, and kept up-to-date. This information is an invaluable and important part of any cyber defense strategy.
To find out more please go to: https://www.infoblox.com/products/bloxone-threat-defense/
Defense Industrial Base companies may additionally sign up for NSA’s free cybersecurity services, including Protective DNS, vulnerability scanning, and threat intelligence collaboration at email@example.com
Other relevant links:
For additional information on Russian state-sponsored cyber activity, see CISA’s webpage, Russia Cyber Threat Overview and Advisories.
|Shields Up | CISA
Every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety. Over the past year, cyber incidents have impacted many companies, non-profits, and other organizations, large and small, across multiple sectors of the economy.