- The Cybersecurity and Infrastructure Security Agency released an alert, named AA22277A, about a state-sponsored APT group stealing data from a Defense Industrial Base sector organization.
- The joint advisory was published by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA).
- The APT group used a combination of a custom malware named CovalentStealer, the open-source Impacket collection of Python classes, the HyperBro RAT, and ChinaChopper webshell samples.
The Cybersecurity and Infrastructure Security Agency published an Alert, named AA22277A, about an incident that led multiple state-sponsored APT groups to steal sensitive data from a Defense Industrial Base (DIB) Sector organization’s enterprise network. The investigation showed that some APT groups had long-term access to the environment and used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network. Finally, the groups used a custom data exfiltration tool, named CovalentStealer, to steal sensitive information from the environment.
Custom data exfiltration tool
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) announced that the organizations worked with a third-party security firm from November 2021 through January 2022. However, the initial infection vector is still unknown and CISA didn’t disclose if the attack is related to a known threat group or not.
According to the report, the attackers used a combination of a custom malware named CovalentStealer, the open-source Impacket collection of Python classes, the HyperBro RAT, and ChinaChopper webshell samples. CISA stated that in March of 2021, the APT exploited four vulnerabilities, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to install 17 China Chopper webshells on the Exchange Server. Also in March, the group installed HyperBro RAT.
In April, the hacker group used Impacket for network exploitation activities. From July to October, actors used a custom exfiltration tool, CovalentStealer, to exfiltrate the remaining sensitive files.
In the advisory, CISA provided technical information for government agencies to detect, remediate, and mitigate the attacks. CISA said,
« In addition to applying mitigations, CISA, FBI, and NSA recommend exercising, testing, and validating your organization’s security program against threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA, FBI, and NSA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
- Select an ATT&CK technique described in this advisory.
- Align your security technologies against the technique.
- Test your technologies against the technique.
- Analyze the performance of your detection and prevention technologies.
- Repeat the process for all security technologies to obtain a set of comprehensive performance data.
- Tune your security program, including people, processes, and technologies, based on the data generated by this process.
CISA, FBI, and NSA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. »