Securing U.S. Cleared Defense Contractors Against Russian State-Sponsored Attacks

American Flag on flag pole

State-sponsored attacks frequently target numerous U.S. Cleared Defense Contractor (CDC) networks to obtain critical information and other sensitive assets related to the U.S. government’s national security and defense capabilities. For state-sponsored threat actors, gaining access to highly classified information allows their rogue state to mount malicious campaigns to disrupt or damage public and private infrastructures that power today’s modern world.

Although state-sponsored attackers are often referred to as advanced persistent threat (APT) actors, they often use common but effective tactics to access target networks, such as brute-force attacks, spear phishing, password spray techniques, credential harvesting, and exploiting vulnerabilities in VPN devices. Afterward, they move laterally to build persistence and steal data.

In a recent joint advisory, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the U.S. Federal Bureau of Investigation (FBI) disclosed that Russian state-sponsored threat actors are actively targeting CDC networks in retaliation for U.S. sanctions due to the Kremlin’s role in the ongoing invasion of Ukraine. Per the joint advisory, a barrage of U.S. government agencies, private organizations, and defense contractors, focused on sectors that appear vulnerable to active espionage campaigns, including: command and control combat systems, telecommunications, weapons and missile development, vehicle and aircraft design, software development, logistics and data analytics, and more.

Unfortunately, the sensitive information at risk includes plans for information technology and communications infrastructure, vehicle specifications, and valuable insight into U.S. weapons systems’ development and deployment schedules. This article explains how to secure U.S. CDCs against Russian state-sponsored cyberattacks.

State-sponsored actor motivations and targets

State-sponsored threat actors are motivated by military, economic, or political interests, typically employing malicious cyber campaigns to gain access to sensitive assets for competitive advantage. As a result, state-sponsored threat actors tend to focus their target on third-party vendors to achieve these aims. In addition, the classified nature of data handled by a third party is often not entirely appreciated, or a company may not see itself as a state-sponsored target. Consequently, it may lack the required level of prevention, detection, and mitigation capabilities to avert state-sponsored attacks.

State-sponsored actors use attack methods commonly leveraged by penetration testers and other threat actors. They do this because these methodologies work effectively and are generic, unable to be ascribed to any specific group. These often involve the use of targeted phishing emails and exploiting known vulnerabilities.

Russian state-sponsored attackers’ tactics, techniques, and procedures

In a joint cybersecurity advisory co-authored by the FBI, CISA, and the U.S. Department of Energy (DOE), information showed that Russian state-sponsored cyber actors conducted multiple intrusion campaigns from 2011 to 2018 on the U.S. and international energy sector organizations.

On March 24, 2022, the United States Department of Justice indicted three Russian Federal Security Service (FSB) officers and an employee of the Russian Federation Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) for their participation in several intrusion campaigns against U.S. and international energy companies, oil refineries, and nuclear facilities. The CSA also summarizes common tactics, techniques, and procedures (TTPs) used in Russian state-sponsored cyber operations.

Global energy sector intrusion campaign

From 2011 to 2018, the Russian Federal Security Services (also known as Berserk Bear, Energetic Bear, Dragonfly, Crouching Yeti, Havex, or Koala) conducted an intrusion campaign against U.S. and international energy sector organizations. The attackers acquired remote access and deployed malware to gather industrial control systems (ICS)-related information on compromised energy sector networks and exfiltrated enterprise process data.

From 2013 to 2014, the threat actor used Havex malware on energy sector networks. They gained access to victim networks through redirects to compromised websites, spear-phishing emails, and malicious versions of authentic software updates on several ICS vendor websites. The new updates contained Havex malware, which infected the systems of those who downloaded the compromised updates.

Havex is a remote access trojan (RAT) that interacts with a command and control (C2) server. The C2 server uses payloads that compute all the gathered network resources and deploys the Open Platform Communications (OPC) standard to collect information about resources and connected control systems devices within the network. Havex allowed attackers to install additional malware and extract data, including installed programs and lists of files, system information, VPN configuration files, and email address books. In addition, the Havex payload can make regular OPC platforms crash, resulting in a denial-of-service on applications that depend on OPC communications.

In 2016, the threat actor began targeting U.S. energy sector networks widely. They carried out these attacks in two stages: first targeting third-party commercial organizations (suppliers, vendors, and integrators) and then targeting energy sector organizations. They deployed compromised third-party infrastructure by conducting watering holes, spear-phishing, and supply chain attacks to pivot to energy sector enterprise networks and harvest energy sector credentials. After gaining access to these networks, the actor performed network discovery, moved laterally, persisted, then gathered and exfiltrated information concerning ICS from the enterprise and operational technology (OT) environments. The information included layout diagrams, vendor information, ICS architecture, and reference documents.

Compromise of Middle East–based energy sector organization with TRITON malware

In 2017, Russian state-sponsored cyber actors associated with TsNIIKhM gained access to and tampered with a foreign oil refinery’s safety device. TsNIIKhM actors deployed TRITON malware on the ICS controllers, resulting in the refinery shutting down for many days.

TRITON is a sophisticated, custom-built and multi-stage malware that affected Schneider Electric’s Triconex Tricon, which is a safety programmable logic controller (PLC) that monitors industrial processes to avert hazardous conditions. TRITON can directly communicate with, remotely control, and alter these safety systems. As these systems are often deployed in many environments, the capacity to inhibit, disable, or modify a process’s ability to fail safely could result in physical consequences.

TRITON malware affected Triconex Tricon PLCs by altering in-memory firmware to add extra programming. The additional functionality allows an attacker to execute custom code and read/modify memory contents, deactivating the safety system. TRITON malware has several components, including four Python modules, a custom Python script, and malicious shellcode containing a payload and an injector.

In 2018, the indicted TsNIIKhM cyber actor was also part of an activity targeting U.S. energy sector companies. In addition, other TsNIIKhM-associated actors have regularly targeted facilities of U.S.-based companies to infiltrate and gain access to OT systems. However, the U.S. DOE, the FBI, and CISA have limited information to show that these actors have deliberately disrupted any U.S. energy sector infrastructure.

Challenges defending against Russian state-sponsored attacks

Prevention challenges

Russian state-sponsored actors often used tactics that are typical but effective APTs. These include brute force, spear-phishing, and exploiting identified vulnerabilities against networks with weak security to access target networks. Additionally, these state-sponsored cyberattacks are carried out using sophisticated cyber capabilities and tradecraft by compromising third-party software and infrastructure or developing and deploying tailored malware.

The actors have also shown the capability to uphold unrelenting, undetected, lasting access in compromised environments by using authentic credentials. These tactics make the prevention of attacks difficult for a non-robust system.

Detection challenges

Many organizations only find out about a cyberattack when someone else tells them about it. Most attack types are usually visible in a short period, whether opportunistic, hacktivist, or financially motivated. State-sponsored actors hardly make noise or create disruption to trigger detection or warrant suspicion. Instead, they aim to oversee communications and access to sensitive data.

They often plant hidden malware as persistence mechanisms on systems all over victim networks that may stay dormant or untouched for years. They can remain invisible until the victim tries to extract the actors, and — just when they think they have been successful — the actors will use this malware to regain access and continue operations.

Mitigation challenges

Malicious cyber actors target organizations on holidays and weekends when there are unchecked gaps in organizational cybersecurity. In addition, critical cybersecurity security agencies that do not proactively protect themselves are at risk of having gaps in coverage. This concern makes it difficult to mitigate attacks effectively.

Also, a lack of internal contact lists prevents an organization from assigning main contact points for a suspected incident and roles and responsibilities. Thus, it becomes difficult for personnel to know how and when to report an incident. Equally, IT/OT security personnel cannot monitor key internal security capabilities and identify anomalous behavior for immediate response.

How to defend against state-sponsored attacks

Security hardening solutions for critical infrastructure environments

Hardening critical infrastructure means having a secure environment that is “hack-proof” to the best of your abilities. Hardening a system involves removing or mitigating vulnerabilities. Unfortunately, cyber actors often exploit these vulnerabilities to access networks, devices, and systems.

Security hardening usually involves locking down configurations to balance security and operational functionality. Another crucial component of this effort is vulnerability management and change control. Moreover, these solutions produce visibility and controls to help maintain a hardened security standard.

Benefits of Systems Hardening

Although infrastructure hardening requires a vast, continuous effort, it is beneficial for organizations. Below are some notable advantages:

  • Increased security level – the very nature of systems hardening reduces the attack surface, reducing the probability and impact of a security incident.
  • Improved system functionality – security hardening often involves shutting off programs and services that an organization is not utilizing. As a result, it improves overall system functionality and reduces incompatibilities and operational issues that could otherwise lead to configurational vulnerabilities.
  • Easier auditing and compliance checks – security hardening can help transform a complex environment into a simpler one with fewer accounts and programs with automated and predictable configurations. This benefit introduces a more transparent and straightforward environment that is simpler to audit and monitor.

Endpoint and network monitoring solutions

Endpoint and network monitoring help track and control all endpoints on a network. Endpoints can be physical devices such as smartphones, servers, or PCs. They can also be software-based entities such as gateways to cloud storage services or virtual machines. This security solution assists IT staff in keeping track of network locations and monitoring vital information such as the software running on each endpoint, the site of the endpoints on the network, and the network ports exposed by the endpoint.

Typically, there are three core components of endpoint and network monitoring tools: attack prevention, detection, and mitigation.

1. Prevention

  • Blocking malware execution
  • Security hardening
  • Application control

2. Detection

 3. Mitigation

  • Incident response and attack containment
  • Vulnerability and configuration management

Enhance your organization’s cyber posture

According to the U.S. intelligence community, organizations are urged to apply best practices to enhance their resilient cyber posture.

Some of those resilience-developing best practices are as follows:

Identity and access management

  • Make multi-factor authentication for all users a requirement, without exception.
  • Require accounts to have robust passwords and prevent the use of passwords across multiple accounts or saved on a vulnerable system.
  • Secure credentials. State-sponsored actors have shown their ability to use compromised credentials persistently.
  • Create a strong password policy for all service accounts.
  • Ensure that Audit Domain Controllers log successful Kerberos ticket-granting server (TGS) requests and check the events for irregular activity.

Protective controls and architecture

  • Identify, detect, and inspect anomalous activity that may signify lateral movement by malware or threat actor. Use monitoring tools like network detection and response or endpoint detection and response (EDR).
  • Enable robust spam filters.
  • Use strong spam filters to stop phishing emails from getting to end users.
  • Filter emails containing executable files to stop them from reaching end users.
  • Implement a user training program to discourage users from visiting malicious websites or opening malicious attachments.
  • Properly implement network segmentation between OT and IT networks. This control measure restricts attackers from moving to the OT network if the IT network is compromised.
  • Set up OT assets into logical zones by considering consequence, criticality, and operational necessity. Set proper communication channels between the zones and organize security controls for network traffic filtering and communications monitoring between zones.

Vulnerability and configuration management

  • Regularly update software, including applications, firmware, and operating systems on IT network assets. Prioritize fixing known exploited vulnerabilities.
  • Only use company-recommended antivirus programs.
  • Implement standard configuration management programs. Check that the programs can track and mitigate potential threats. Assess system configurations for security weaknesses and misconfigurations.
  • Disable all unnecessary protocols and ports.

Security training and awareness solutions

Cyber attackers are targeting the human element more than ever, and most cybersecurity issues can be linked to human error. Ensure that everyone knows what to do when facing a real threat by equipping them with specific, threat-guided education. Create a culture of security awareness and curb unsafe behaviors by:

  • Assessing: know your organization’s baseline and where there are user cybersecurity knowledge and program gaps. Security training and awareness help indicate your program focus through phishing simulation, and knowledge assessments tests are driven by threat intelligence.
  • Changing behavior: assign tailored, threat-driven training to change unsafe behavior. Targeted cybersecurity education helps you drive behavior change by focusing on needs and areas of weakness.
  • Metric evaluation: measure the performance of the security training and awareness program by capturing the metrics. Identify click rates, user-reported email accuracy rates, and reporting rates of both real-world and simulated attacks. Security training and awareness improve your program’s visibility and helps you focus on areas of improvement.

Security compliance and policy revisions

Although many tend to see security compliance and policies as rigid and unchanging, they should change and evolve as new technologies are implemented, as a company grows or enforces new regulations, or as new threats are detected.

Security compliance and policies ensure that an organization’s data is effectively protected. Without reviewing and revising your organization’s policies, it is difficult to measure the effectiveness of the security standards and procedures introduced to identify potential threats and suspicious activity, minimize the risk of breaches, and provide an action plan to guide every organization.

Some security compliance and policy best practices to adhere to:

  • Review security compliance, policies, and procedures annually.
  • Review policies when there are vital changes to operational processes and workflows.
  • Test the contents of your security governance documentation to gauge its effectiveness.
  • Do not wait until an incident occurs before identifying security governance and compliance documentation that needs updating.


Today’s evolving threat landscape allows rogue nation-states to conduct effective espionage campaigns against government agencies and organizations that support them. By leveraging state-sponsored threats, rogue nation-states can steal critical assets and gain access to environments that implicate national security. Although the possibility of attributing a cyberattack to a particular nation-state with absolute precision is low, the success rate of an intensive effort by a state-sponsored threat actor is practically assured. Thus, security teams should be equipped with the visibility and capabilities to protect critical infrastructures and networks proactively.

To effectively prevent, detect, and mitigate cyberattacks, U.S. Cleared Defense Contractors must streamline and strengthen their cyber threat and vulnerability management approach. LogRhythm can collaborate with security teams and defense contractors (and sub-contractors), ready to defend against advanced persistent, state-sponsored threat actors.

Is your organization part of the U.S. Defense Industrial Base (DIB)? Does your team provide critical infrastructure services to the U.S. government? If so, then LogRhythm is ready to defend your crown jewels against state-sponsored APT actors. Unlike other solutions that lack cohesive compatibility, our SIEM platform embeds a one-solution package into your security architecture that integrates fundamental security capabilities to enhance your cyber resilience posture.