CISA: Multiple government hacking groups had ‘long-term’ access to defense company

Several U.S. agencies said it is likely that multiple government hacking groups had “long-term” access to the network of a defense company.

In a report from the Cybersecurity and Infrastructure Security Agency (CISA), FBI and National Security Agency (NSA), the agencies said some of the hackers exploited Microsoft Exchange vulnerabilities on the unnamed organization's server to gain access remotely and compromise legitimate company accounts to access emails, meetings, and contacts belonging to other employees.

CISA said it initially discovered the issues while responding to hacker activity on the defense company’s network from November 2021 to January 2022.

During their investigation, CISA uncovered that likely multiple advanced persistent threat (APT) groups compromised the organization’s network, and some APT actors had long-term access to the environment. 

“APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data,” CISA said in its advisory. 

Katie Nickels, director of intelligence at cybersecurity firm Red Canary, said Impacket is one of the top threats observed in customer environments.

She explained that hackers favor it because it allows them to conduct various actions like retrieving credentials, issuing commands, moving laterally, and delivering additional malware onto systems.

“In September, it was the fourth most prevalent threat we observed. The good news is that Impacket can be detected with endpoint and network visibility,” she said. “However, while Impacket is fairly easy to detect, it can be challenging to determine if the activity is malicious or benign without additional context and understanding of what is normal in an environment.” 

Nickels suggested organizations have a clearly-outlined understanding of the authorized instances where Impacket can be used in their environments and “consider any activity outside of that to be malicious until proven otherwise.”

‘As early as mid-January 2021’

According to the agencies’ report, the defense company brought in a cybersecurity company to respond to the incident before CISA got involved. 

In its investigation, CISA found the government hackers gained initial access to the organization as early as mid-January 2021.

It is unclear how the group initially gained access to the organization’s Microsoft Exchange Server, but once they did, the hackers gathered information about the environment and searched through employee mailboxes within four hours of entry. 

The hackers managed to compromise administrator-level accounts, and by February 2021 started to exfiltrate sensitive data, “including sensitive contract-related information from shared drives.”

By early March 2021, the hackers allegedly began exploiting Microsoft vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26868, and CVE-2021-27065.

Nickels noted that there have been multiple Exchange vulnerabilities over a span of years, and given the challenges of patching on-premise Exchange servers, many of these vulnerabilities remain unpatched and “give adversaries an opportunity to compromise a network.”

From July to October 2021, the hackers used their custom exfiltration tool CovalentStealer to steal any remaining sensitive files. 

The group was able to maintain access to the network through mid-January 2022 by exploiting legitimate credentials which had been stolen. 

In one instance, the hackers used the account of a former employee to access mailbox items like email messages, meetings and contacts.

The incident raised alarms among U.S. law enforcement agencies, who urged defense industrial base and critical infrastructure organizations to look through and implement the detection and mitigation actions listed in the advisory.

The agencies recommended critical infrastructure companies enforce multi-factor authentication on all user accounts, implement network segmentation, update software and audit account usage for malicious activity. 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.