Press Release | Oct. 4, 2022

NSA, CISA, FBI Warn of Custom Exfiltration Tools Being Used Against Defense Industrial Base Organization

FORT MEADE, Md. — The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the FBI released a Cybersecurity Advisory today that details the tactics, techniques and procedures (TTPs) that likely multiple advanced persistent threat (APT) groups recently used to steal sensitive information from a Defense Industrial Base organization. The advisory, "Impacket, Custom Exfiltration Tools Used to Steal Sensitive Information from Defense Industrial Base Organization," provides indicators of compromise and TTPs used by the groups and shares guidance to detect and prevent related activity.

During a hunt on the organization's network, CISA and a third-party incident response organization discovered the following malicious activity:

  • Once on the network, APT actors leveraged Impacket in their attack, a toolkit for programmatically constructing and manipulating network protocols
  • The actors used a custom exfiltration tool called CovalentStealer to steal the victim's data
  • The actors exploited a Microsoft Exchange vulnerability on the organization's server to gain access remotely and compromised legitimate company accounts to access the accounts of other employees

They recommend that Defense Industrial Base sector and other critical infrastructure organizations implement the mitigations in the advisory to ensure they are managing and reducing  threats to their networks.

Read the full report here.

Visit our full library for more cybersecurity information and technical guidance.