US Government Details Tools Used by APTs in Defense Organization Attack

The NSA, FBI and CISA have issued an alert describing the tools and techniques used by advanced persistent threat actors in an attack aimed at an unnamed defense industrial base organization in the United States. The report published by the three government agencies focuses on some of the tools used by the threat actors. Cybersecurity firm Red Canary has been seeing a significant increase in the use of Impacket - it's one of the hacker tools that is most often present in its customers' environments. "Impacket is a 'dual use' tool in that it is used by legitimate tools as well as by adversaries during intrusions. Adversaries favor Impacket because it allows them to conduct various actions like retrieving credentials, issuing commands, moving laterally, and delivering additional malware onto systems," explained Katie Nickels, director of intelligence at Red Canary. Impacket has been used by well-known threat groups, including the Russia-linked cybercrime gang Wizard Spider and the Chinese state-sponsored group Stone Panda. The second tool highlighted in the alert released by the NSA, FBI and CISA is CovalentStealer, a custom data exfiltration tool that threat actors used to steal sensitive files from the victim's systems. The US government's advisory contains indicators of compromise and other information that defense industrial base and other critical infrastructure organizations are advised to use to detect potential compromise and protect their systems against such threats.