Foreign Hackers Stole Information From Defense Contractors, Researchers Say

Foreign hackers are suspected of breaching several organizations, including defense contractors, and accessing sensitive information, according to a report by cybersecurity researchers.

Hackers stole documents from at least nine entities in the technology, defense, healthcare, energy and education industries after first breaching the organizations in September, according to research conducted by Palo Alto Networks. Researchers were not yet sure of the identities of the hackers but said they verified that several methods and tools used in the breaches are similar to those used by suspected Chinese hackers.

“Ultimately, the actor was interested in stealing credentials, maintaining access and gathering sensitive files from victim networks for exfiltration,” the researchers wrote.

The hackers reportedly breached and stole data from defense contractors, potentially compromising sensitive information sent by the Department of Defense to the contractors, according to the researchers.

“In aggregate, access to that information can be really valuable,” Ryan Olson, vice president of threat intelligence at Palo Alto Networks, told CNN. “Even if it’s not classified information, even if it’s just information about how the business is doing.”

The hackers were reportedly able to access the organizations by exploiting vulnerabilities in their cloud software from technology company Zoho, allowing them to deploy a tool called KdcSponge that stole passwords and sensitive documents.

“KdcSponge is a novel credential-stealing tool that is deployed against domain controllers to steal credentials. KdcSponge injects itself into the Local Security Authority Subsystem Service (LSASS) process and will hook specific functions to gather usernames and passwords,” the researchers wrote.

When reached for comment, the Cybersecurity Infrastructure and Security Agency’s (CISA) executive assistant director for cybersecurity Eric Goldstein told the Daily Caller News Foundation that the agency is working with Palo Alto Networks to respond to the threat.

“Through the Joint Cyber Defense Collaborative (JCDC), CISA worked with Palo Alto Networks to understand, amplify, and drive action in response to the activity identified in this report,” Goldstein said. “This partnership reflects the value of the JCDC, in which government and the private sector work together to gain visibility and reduce risks that no organization can achieve alone.”