Foreign hackers are suspected of breaching several organizations, including defense contractors, and accessing sensitive information, according to a report by cybersecurity researchers.
Hackers stole documents from at least nine entities in the technology, defense, healthcare, energy and education industries after first breaching the organizations in September, according to research conducted by Palo Alto Networks. Researchers were not yet sure of the identities of the hackers but said they verified that several methods and tools used in the breaches are similar to those used by suspected Chinese hackers.
“Ultimately, the actor was interested in stealing credentials, maintaining access and gathering sensitive files from victim networks for exfiltration,” the researchers wrote. (RELATED: Hacking Group Is Stealing Personal Data, Communications From Telecom Carriers, Researchers Find)
The hackers reportedly breached and stole data from defense contractors, potentially compromising sensitive information sent by the Department of Defense to the contractors, according to the researchers.
An engineer from the Israeli company “Commun.it” uses his expertise in social media commercial analysis to identify networks of fake users during at the group’s office in the Israeli city of Bnei Brak near Tel Aviv on January 23, 2019. (Photo by JACK GUEZ/AFP via Getty Images)
“In aggregate, access to that information can be really valuable,” Ryan Olson, vice president of threat intelligence at Palo Alto Networks, told CNN. “Even if it’s not classified information, even if it’s just information about how the business is doing.”
The hackers were reportedly able to access the organizations by exploiting vulnerabilities in their cloud software from technology company Zoho, allowing them to deploy a tool called KdcSponge that stole passwords and sensitive documents.
“KdcSponge is a novel credential-stealing tool that is deployed against domain controllers to steal credentials. KdcSponge injects itself into the Local Security Authority Subsystem Service (LSASS) process and will hook specific functions to gather usernames and passwords,” the researchers wrote.
When reached for comment, the Cybersecurity Infrastructure and Security Agency’s (CISA) executive assistant director for cybersecurity Eric Goldstein told the Daily Caller News Foundation that the agency is working with Palo Alto Networks to respond to the threat.
“Through the Joint Cyber Defense Collaborative (JCDC), CISA worked with Palo Alto Networks to understand, amplify, and drive action in response to the activity identified in this report,” Goldstein said. “This partnership reflects the value of the JCDC, in which government and the private sector work together to gain visibility and reduce risks that no organization can achieve alone.”
All content created by the Daily Caller News Foundation, an independent and nonpartisan newswire service, is available without charge to any legitimate news publisher that can provide a large audience. All republished articles must include our logo, our reporter’s byline and their DCNF affiliation. For any questions about our guidelines or partnering with us, please contact licensing@dailycallernewsfoundation.org.
