The U.S. government on Tuesday issued a Cybersecurity Advisory (CSA) disclosing the breach of a defense contractor’s enterprise network by advanced persistent threat (APT) actors over several months and outlines the tools and techniques used to steal sensitive data.
The CSA (AA22-277A), “Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization,” was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and National Security Agency. The name of the defense contractor wasn’t disclosed.
The threat activity occurred between March 2021 and January 2022. CISA and a third-party hired by the victim to help respond to the incident identified the ATP activity.
“During incident response activities, CISA uncovered that likely multiple APT groups compromised the organization’s network, and some APT actors had long-term access to the environment,” the CSA says. “APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data.”
The advisory includes mitigations that the government recommends be implemented by defense companies and other critical infrastructure organizations to protect their networks.