FORT MEADE, Md. — The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the FBI released a Cybersecurity Advisory today that details the tactics, techniques and procedures (TTPs) that likely multiple advanced persistent threat (APT) groups recently used to steal sensitive information from a Defense Industrial Base organization. The advisory, “Impacket, Custom Exfiltration Tools Used to Steal Sensitive Information from Defense Industrial Base Organization,” provides indicators of compromise and TTPs used by the groups and shares guidance to detect and prevent related activity.
During a hunt on the organization’s network, CISA and a third-party incident response organization discovered the following malicious activity:
- Once on the network, APT actors leveraged Impacket in their attack, a toolkit for programmatically constructing and manipulating network protocols
- The actors used a custom exfiltration tool called CovalentStealer to steal the victim’s data
- The actors exploited a Microsoft Exchange vulnerability on the organization’s server to gain access remotely and compromised legitimate company accounts to access the accounts of other employees
Source: U.S. National Security Agency/Central Security Service