The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) released an advisory this week detailing how multiple nation-state hacking groups potentially targeted a Defense Industrial Base (DIB) sector organization’s enterprise network as part of a cyber espionage campaign.
The joint advisory explains that the hacking groups used the open-source toolkit, Impacket, to gain a foothold within the environment, and the data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data.
CISA observed the attacks between November 2021 and January 2022. They did not identify the victim organization.
“During incident response activities, CISA uncovered that likely multiple [advanced persistent threat (APT)] groups compromised the organization’s network, and some APT actors had long–term access to the environment,” the advisory reads.
Some APT actors reportedly gained initial access to the organization’s Microsoft Exchange Server as early as mid–January 2021. Later, they returned and used Command Shell to learn about the organization’s environment and to collect sensitive data before implanting two Impacket tools.
“In April 2021, APT actors used Impacket for network exploitation activities,” the advisory reads. “From late July through mid–October 2021, APT actors employed a custom exfiltration tool, CovalentStealer, to exfiltrate the remaining sensitive files.”
The security agencies recommended that organizations monitor logs for connections from unusual virtual private networks, suspicious account use, anomalous and known malicious command-line usage, and unauthorized changes to user accounts.