APTs Exploited Microsoft Exchange to Hack Defense Industrial Base Organization

Cyberattacks are still on the rise, and even the government is not safe. The CISA, FBI, and NSA released a report yesterday that describes the tools and techniques used by advanced persistent threat (APT) actors that compromised the network of an unnamed organization in the defense industrial base (DIB) sector. The joint alert revealed that the purpose of the attack was to steal sensitive contract-related data and credentials and that the APTs exploited Microsoft Exchange flaws.

Perhaps the most surprising part about the incident is how long it went on. The groups gained access as early as January 2021 and managed to remain hidden for a year, into January 2022.

According to the joint report from the CISA, FBI, and NSA, they “conducted an incident response engagement on a DIB Sector organization’s enterprise network” that lasted from November 2021 through January 2022. During that time, APT activity was identified on the victim’s network.

While the initial access vector is undetermined, various tools and exploits were used to further compromise the network after initial entry. The threat groups utilized the open-source toolkit Impacket and a data exfiltration tool called CovalentStealer. They also gathered data from the organization’s Microsoft Exchange server, managing to get ahold of a compromised administrator account to gain further access.

Once they had the needed access, the threat groups collected sensitive data that included contract-related information, the company’s emails, meetings, contacts, and other records. All of this took place throughout 2021, with the groups exploiting Microsoft Exchange remote code execution flaws to install web shells and steal files that were then stored on a Microsoft OneDrive cloud folder.

Furthermore, CISA said, “The APT cyber actors used existing, compromised credentials with Impacket to access a higher privileged service account used by the organization’s multifunctional devices.”

Impacket is a prevalent threat because it enables threat actors to retrieve credentials, issue commands, and deliver additional malware to systems. It is also used by threat groups to achieve lateral movement.

The severity of this matter cannot be underestimated since organizations in the DIB sector deal with particularly sensitive data. That includes everything from communicating with senior Pentagon officials to maintaining control facilities for the United States’ strategic deterrent infrastructure.

The industry is even classified as a critical infrastructure sector, and it has been the subject of efforts to improve cybersecurity in recent days. The change is long overdue with the sensitivity of the data housed in these organizations. But will that be enough?

Many believe that there is an overreliance on Microsoft products and services in government, which is open to exploitation just like how the APTs exploited the Microsoft Exchange in this case. Currently, Microsoft has an 85% share in the IT infrastructure of the federal government.