![](\"https:\/\/media.wired.com\/photos\/620d9afad88b0a9fa5094bd6\/master\/pass\/Security-Russia-FBI-Hack-974960822.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Dan Goodin, Ars Technica| Date: Thu, 17 Feb 2022 21:05:00 +0000<\/strong><\/p>\n Dan Goodin, Ars Technica<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n Hackers backed by<\/span> the Russian government have breached the networks of multiple US defense contractors in a sustained campaign that has revealed sensitive information about US weapons-development communications infrastructure, the federal government said on Wednesday.<\/p>\n This story originally appeared on Ars Technica<\/a>, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED's parent company, Cond\u00e9 Nast.<\/p>\n The campaign began no later than January 2020 and has continued through this month, according to a joint advisory<\/a> by the FBI, the National Security Agency, and the Cybersecurity and Infrastructure Security Agency. The hackers<\/a> have been targeting and successfully hacking cleared defense contractors, or CDCs, which support contracts for the US Department of Defense and intelligence community.<\/p>\n \u201cDuring this two-year period, these actors have maintained persistent access to multiple CDC networks, in some cases for at least six months,\u201d officials wrote in the advisory. \u201cIn instances when the actors have successfully obtained access, the FBI, NSA, and CISA have noted regular and recurring exfiltration of emails and data. For example, during a compromise in 2021, threat actors exfiltrated hundreds of documents related to the company\u2019s products, relationships with other countries, and internal personnel and legal matters.\u201d<\/p>\n The exfiltrated documents included unclassified CDC-proprietary and export-controlled information. This information gives the Russian government<\/a> \u201csignificant insight\u201d into US weapons-platforms development and deployment timelines, plans for communications infrastructure, and specific technologies being used by the US government and military. The documents also include unclassified emails among employees and their government customers discussing proprietary details about technological and scientific research.<\/p>\n The advisory said:<\/p>\n These continued intrusions have enabled the actors to acquire sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology. The acquired information provides significant insight into U.S. weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology. By acquiring proprietary internal documents and email communications, adversaries may be able to adjust their own military plans and priorities, hasten technological development efforts, inform foreign policymakers of U.S. intentions, and target potential sources for recruitment. Given the sensitivity of information widely available on unclassified CDC networks, the FBI, NSA, and CISA anticipate that Russian state-sponsored cyber actors will continue to target CDCs for U.S. defense information in the near future. These agencies encourage all CDCs to apply the recommended mitigations in this advisory, regardless of evidence of compromise.<\/em><\/p>\n The hackers have used a variety of methods to breach their targets. The methods include harvesting network passwords through spear phishing<\/a>, data breaches<\/a>, cracking techniques, and exploitation of unpatched software vulnerabilities<\/a>. After gaining a toehold in a targeted network, the threat actors escalate their system rights by mapping the Active Directory and connecting to domain controllers. From there, they\u2019re able to exfiltrate credentials for all other accounts and create new accounts.<\/p>\n The hackers make use of virtual private servers to encrypt their communications and hide their identities, the advisory added. They also use \u201csmall office and home office (SOHO) devices, as operational nodes to evade detection.\u201d In 2018, Russia was caught infecting more than 500,000 consumer routers<\/a> so the devices could be used to infect the networks they were attached to, exfiltrate passwords, and manipulate traffic passing through the compromised device.<\/p>\n These techniques and others appear to have succeeded.<\/p>\n \u201cIn multiple instances, the threat actors maintained persistent access for at least six months,\u201d the joint advisory stated. \u201cAlthough the actors have used a variety of malware to maintain persistence, the FBI, NSA, and CISA have also observed intrusions that did not rely on malware or other persistence mechanisms. In these cases, it is likely the threat actors relied on possession of legitimate credentials for persistence, enabling them to pivot to other accounts, as needed, to maintain access to the compromised environments.\u201d<\/p>\n The advisory contains a list of technical indicators admins can use to determine if their networks have been compromised in the campaign. It goes on to urge all CDCs to investigate suspicious activity in their enterprise and cloud environments.<\/p>\n This story originally appeared on<\/em> Ars Technica<\/em><\/a>.<\/em><\/p>\n