Russian state-sponsored cyber actors targeting U.S. critical infrastructure

Threat Level – Amber | Vulnerability Report
Download PDF


For a detailed advisory, download the pdf file here

In a joint cybersecurity advisory, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) revealed that Russian state-sponsored threat actors targeted U.S. defense contractors from January 2020 to February 2022. The threat actors exfiltrated sensitive data from small and large companies in the U.S. working on defense and intelligence contracts, including missile development, vehicle & aircraft and software development.

Threat actors gain initial access by using brute force to identify valid account credentials for domain and M365 accounts. Using compromised M365 credentials, including global admin accounts, the threat actors can gain access to M365 resources such as SharePoint pages user-profiles and user emails. They further used harvested credentials in conjunction with known vulnerabilities CVE-2020-0688 & CVE-2020-17144 in the Microsoft exchange server to escalate privileges and gain remote code execution (RCE) on the exposed applications. In addition, they have exploited CVE-2018-13379 on FortiClient to obtain credentials to access networks. After gaining access to networks, the threat actors map the Active Directory (AD) and connect to domain controllers, from which they exfiltrated credentials and export copies of the AD database “ntds.dit”. In multiple breaches, they maintained persistence for at least 6 months in the network continuously exfiltrating sensitive emails and data.

Organizations can mitigate the risk by following the recommendations: •Monitor the use of stolen credentials. •Keep all operating systems and software up to date. •Enable multifactor authentication (MFA) for all users, without exception. •

The Techniques commonly used by Russian cyber actor, APT28 are:

TA0043: Reconnaissance

TA0001: Initial Access

TA0004: Privilege Escalation

TA0005: Defense Evasion

TA0006: Credential Access

TA0007: Discovery

TA0009: Collection

TA0003: Persistence

TA0008: Lateral Movement

TA0011: Command and Control

T1027: Obfuscated Files or Information

T1133: External Remote Services

T1190: Exploit Public-Facing Application

T1083: File and Directory Discovery

T1482: Domain Trust Discovery

T1213.002: Data from Information Repositories: SharePoint

T1090.003: Proxy: Multi-hop Proxy

T1589.001: Gather Victim Identity Information: Credentials

T1003.003: OS Credential Dumping: NTDS

T1110.003: Brute Force: Password Spraying

T1566.002: Phishing: Spearphishing Link

T1078.002: Valid Accounts: Domain Accounts

T1078.004: Valid Accounts: Cloud Accounts


Actor Details

Vulnerability Details


What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox