Joint Cybersecurity Advisory – Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization

This week, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the National Security Agency (NSA) published a joint Cybersecurity Advisory (CSA) to highlight malicious cyber activity by advanced persistent threat (APT) actors observed on a Defense Industrial Base sector organization’s enterprise network. Most notably, the advisory highlights how threat actors continue to successfully maintain persistence in victim networks by leveraging legitimate account credentials.

Summary: From November 2021 through January 2022, CISA responded to APT activity on a Defense Industrial Base Sector organization’s enterprise network. While conducting incident response activities, CISA discovered that likely multiple APT groups compromised the organization’s network, and some APT actors had long-term access to the network. According to the CSA, “APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data.” The initial access vector is unknown. However, the APT actors maintained persistence likely by relying on legitimate account credentials. Furthermore, the tools allowed an Impacket user with credentials to “run commands on the remote device using the Windows management protocols required to support an enterprise network.”

The advisory includes APT actors tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) identified during incident response. Mitigation recommendations are also provided for network defenders.

To report suspicious or criminal activity related to information found in advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at Cy*****@*bi.gov. If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at CI*************@******hs.gov. Access the full advisory at CISA.

Members are encouraged to report incidents and suspicious activities, first to local and other law enforcement authorities and then to WaterISAC by emailing an*****@*******ac.org, calling 866-H2O-ISAC, or using the online incident reporting form.