Numerous state-sponsored threat actors were able to compromise and exfiltrate data from a U.S.-based defense industrial base organization between January and November last year, BleepingComputer reports.
Attackers behind the compromise leveraged the CovalentStealer malware in combination with the Impacket open-source toolkit, China Chopper webshells, and the HyperBro remote access trojan, a joint report from the FBI, National Security Agency, and Cybersecurity and Infrastructure Security Agency showed.
ProxyLogon vulnerabilities have also been exploited by the attackers, which were found to have accessed the impacted organization's Exchange server in mid-January 2021. Threat actors access the network again in early February to facilitate reconnaissance activity days later before leveraging the ProxyLogon flaws in early March to deploy China Chopper webshells.
Impacket use then enabled the beginning of lateral network movement in April. Attackers then used CovalentStealer to allow file uploads to Microsoft OneDrive between July and October last year.
Meanwhile, a separate CISA report showed that CovalentStealer had code from the ClientUploader utility and PowerShell script Export-MFT and featured data and configuration file encryption and decryption capabilities.