A cyber attack campaign, potentially bent on cyber espionage, is highlighting the increasingly sophisticated nature of cyber threats targeting defense contractors in the US and elsewhere.
The covert campaign, which researchers at Securonix detected and are tracking as STEEP#MAVERICK, has hit multiple weapons contractors in Europe in recent months, including potentially a supplier to the US F-35 Lightning II fighter aircraft program.
What makes the campaign noteworthy according to the security vendor is the overall attention the attacker has paid to operations security (OpSec) and to ensuring their malware is hard to detect, difficult to remove, and challenging to analyze.
The PowerShell-based malware stager used in the attacks have “featured an array of interesting tactics, persistence methodology, counter-forensics and layers upon layers of obfuscation to hide its code,” Securonix said in a report this week.
Uncommon Malware Capabilities
The STEEP#MAVERICK campaign appears to have launched in late summer with attacks on two high-profile defense contractors in Europe. Like many campaigns, the attack chain began with a spear-phishing email that contained a compressed (.zip) fie with a shortcut (.lnk) file to a PDF document purportedly describing company benefits. Securonix described the phishing email as being similar to one it had encountered in a campaign earlier this year involving North Korea’s APT37 (aka Konni) threat group.
When the .lnk file is executed, it triggers what Securonix described as a “rather large and robust chain of stagers,” each written in PowerShell and featuring as many as eight obfuscation layers. The malware also features extensive anti-forensic and counter-debugging capabilities which include monitoring a long list of processes that could be uses to look for malicious behavior. The malware is designed to disable logging and bypass Windows Defender. It uses several techniques to persist on a system, including by embedding itself in the system registry, by embedding itself as a scheduled task and by creating a startup shortcut on the system.
A spokesperson with Securonix’s Threat Research Team says the number and variety of anti-analysis and anti-monitoring checks the malware has is unusual. So, too, is the large number of obfuscation layers for payloads and the malware’s attempts to substitute or generate new custom command-and-control (C2) stager payloads in response to analysis attempts: “Some obfuscation techniques, such as using PowerShell get-alias to perform [the invoke-expression cmdlet] are very rarely seen.”
The malicious activities were performed in an OpSec-aware manner with different types of anti-analysis checks and evasion attempts throughout the attack, at a relatively high operational tempo with custom payloads injected.
“Based on the details of the attack, one takeaway for other organizations is paying extra attention to monitoring your security tools,” the spokesperson says. “Organizations should ensure security tools work as expected and avoid relying on a single security tool or technology to detect threats.”
A Growing Cyber Threat
The STEEP#MAVERICK campaign is only the latest in a growing number that have targeted defense contractors and suppliers in recent years. Many of these campaigns have involved state-backed actors operating out of China, Russia, North Korea, and other countries.
In January, for instance, the US Cyber security and Infrastructure Security Agency (CISA) issued an alert warning of Russian state-sponsored actors targeting so-called cleared defense contractors (CDCs) in attacks designed to steal sensitive US defense information and technology. The CISA alert described the attacks as targeting a wide swath of CDCs, including those involved in developing combat systems, intelligence and surveillance technologies, weapons and missile development, and combat vehicle and aircraft design.
In February, researchers at Palo Alto Networks reported on at least four US defense contractors being targeted in a campaign to distribute a fileless, socketless backdoor called SockDetour. The attacks were part of a broader campaign that the security vendor had investigated along with the National Security Agency in 2021 involving a Chinese advanced persistent group that targeted defense contractors and organizations in multiple other sectors.
Defense Contractors: A Vulnerable Segment
Adding to the concerns over the rising volume of cyber attacks is the relative vulnerability of many defense contractors, despite having secrets that should be closely guarded.
Recent research that Black Kite conducted into the security practices of the top 100 US defense contractors showed that nearly a third (32%) are vulnerable to ransomware attacks. This is because of factors like leaked or compromised credentials, and weak practices in areas such as credential management, application security and Security Sockets Layer/Transport Layer Security.
Seventy-two percent of the respondents in the Black Kite report have experienced at least one incident involving a leaked credential.
There could be light at the end of the tunnel: The US Department of Defense, in conjunction with industry stakeholders, has developed a set of cyber security best practices for military contractors to use to protect sensitive data. Under the DoD’s Cyber security Maturity Model Certification program, defense contractors are required to implement these practices — and get certified as having them — to be able to sell to government. The bad news? The rollout of the program has been delayed.
