Data stolen from organization serving U.S. defense in multi-payload attack

A custom CovalentStealer malware, the Impacket framework, the HyperBro remote access trojan (RAT), and over a dozen China Chopper webshell samples were used by attackers to steal sensitive data from a U.S. organization in the Defense Industrial Base (DIB) sector.

While the initial access vector is unknown, the threat actor used compromised administrator credentials belonging to a former employee for the mailbox searches and further network connections. The attackers engaged in reconnaissance activity using a command shell. They learned about the victim’s environment and manually archived sensitive data, preparing it for exfiltration. This included contract-related information stored on shared drives.

Entities in the Defense Industrial Base Sector provide products and services that enable support and deployment of military operations. It is unknown who is behind the attack, which lasted for about ten months, but the U.S. government and CISA reported that multiple APT groups were involved.

The AI-powered and behavioral detection engines in Acronis Cyber Protect Cloud identify and block malware on your computers, keeping data and hardware safe even from never-before-seen cyberthreats.