An alert from the Cybersecurity and Infrastructure Security Agency and other federal agencies provides details on advanced persistent threat activity targeting a defense industrial base entity with a tool designed to extract sensitive information.
“From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization’s enterprise network,” according to Alert AA-22-277A issued Tuesday by CISA, the FBI and National Security Agency.
“During incident response activities,” the alert said, “CISA uncovered that likely multiple APT groups compromised the organization’s network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data.”
CISA didn’t name the victim, threat actors or a sponsoring nation-state, but the advisory included tips on guarding against “Russian state-sponsored malicious cyber activity.”
CISA and a “trusted third-party incident response organization” engaged with the DIB entity from November through January, according to the alert.
The alert “provides the APT actors tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs). CISA, FBI, and NSA recommend DIB sector and other critical infrastructure organizations implement the mitigations in this [cybersecurity alert] to ensure they are managing and reducing the impact of APT cyber threats to their networks.”
It explained that “Some APT actors gained initial access to the organization’s Microsoft Exchange Server as early as mid-January 2021. The initial access vector is unknown. Based on log analysis, the actors gathered information about the exchange environment and performed mailbox searches within a four-hour period after gaining access. In the same period, these actors used a compromised administrator account (‘Admin 1’) to access the EWS Application Programming Interface (API). In early February 2021, the actors returned to the network and used Admin 1 to access EWS API again. In both instances, the actors used a virtual private network (VPN).”
“Four days later,” the alert said, “the APT actors used Windows Command Shell over a three-day period to interact with the victim’s network. The actors used Command Shell to learn about the organization’s environment and to collect sensitive data, including sensitive contract-related information from shared drives, for eventual exfiltration.”
The APT actors “implanted Impacket, a Python toolkit for programmatically constructing and manipulating network protocols, on another system. The actors used Impacket to attempt to move laterally to another system,” according to the alert.
“In April 2021, APT actors used Impacket for network exploitation activities. … From late July through mid-October 2021, APT actors employed a custom exfiltration tool, CovalentStealer, to exfiltrate the remaining sensitive files. . . . APT actors maintained access through mid-January 2022, likely by relying on legitimate credentials.”