// 01Executive summary
Russian state-sponsored cyber actors are actively targeting U.S. cleared defense contractors (CDCs) to acquire sensitive defense information and technology, an activity observed since January 2020. These actors primarily leverage spearphishing, credential harvesting, brute force, and known vulnerability exploitation, often focusing on Microsoft 365 environments. Organizations should immediately enforce multifactor authentication, strong passwords, enable M365 Unified Audit Logs, and implement endpoint detection and response tools to counter these persistent threats and prevent further data exfiltration.
// 02Key metrics
// ttps
4
ATT&CK techniques
// iocs
5
indicators
// actors
1
threat groups
// kwords
10
keywords
// 03MITRE ATT&CK
// 04Threat actors
// 05Indicators of compromise
// ips0
none
// domains2
- ntds.dit
- rewardsforjustice.net
// urls0
none
// sha2560
none
// md50
none
// emails0
none
// cves3
- CVE-2020-0688
- CVE-2020-17144
- CVE-2018-13379
// 06Geographic coverage
// 07YARA rule
```yara
rule APT_RUS_StateSponsored_CDC_Targeting_2022_02 {
meta:
author = "YARA Expert"
date = "2024-01-30"
description = "Detects activity related to Russian state-sponsored cyber actors targeting Cleared Defense Contractors, based on identified IOCs and intelligence from February 2022. This rule aims to identify related documents, logs, or malware artifacts."
reference = "AA22-047A" // Product ID from the intelligence report sample
tlp = "WHITE" // Traffic Light Protocol: WHITE - unlimited distribution
threat_actor = "Russian State-Sponsored Cyber Actors"
category = "Threat Hunting"
strings:
// --- Network Indicators of Compromise (IOCs) ---
// Domains identified as part of the threat actor's infrastructure or targeting.
// These are included in both ASCII and wide (UTF-16LE) formats for comprehensive scanning.
$network_domain_1_ascii = "ntds.dit" ascii nocase
$network_domain_1_wide = "n\x00t\x00d\x00s\x00.\x00d\x00i\x00t\x00" wide nocase
$network_domain_2_ascii = "rewardsforjustice.net" ascii nocase
$network_domain_2_wide = "r\x00e\x00w\x00a\x00r\x00d\x00s\x00f\x00o\x00r\x00j\x00u\x00s\x00t\x00i\x00c\x00e\x00.\x00n\x00e\x00t\x00" wide nocase
// --- Unique Text Patterns from Intelligence Report ---
// These strings are derived directly from the provided intelligence text sample.
// They help identify documents, logs, or other artifacts discussing or related to the threat,
// and are included in both ASCII and wide formats.
$string_actor_1_ascii = "Russian State-Sponsored Cyber Actors" ascii nocase
$string_actor_1_wide = "R\x00u\x00s\x00s\x00i\x00a\x00n\x00 \x00S\x00t\x00a\x00t\x00e\x00-\x00S\x00p\x00o\x00n\x00s\x00o\x00r\x00e\x00d\x00 \x00C\x00y\x00b\x00e\x00r\x00 \x00A\x00c\x00t\x00o\x00r\x00s\x00" wide nocase
$string_target_1_ascii = "Cleared Defense Contractor Networks" ascii nocase
$string_target_1_wide = "C\x00l\x00e\x00a\x00r\x00e\x00d\x00 \x00D\x00e\x00f\x00e\x00n\x00s\x00e\x00 \x00C\x00o\x00n\x00t\x00r\x00a\x00c\x00t\x00o\x00r\x00 \x00N\x00e\x00t\x00w\x00o\x00r\x00k\x00s\x00" wide nocase
$string_info_1_ascii = "Sensitive U.S. Defense Information and Technology" ascii nocase
$string_info_1_wide = "S\x00e\x00n\x00s\x00i\x00t\x00i\x00v\x00e\x00 \x00U\x00.\x00S\x00.\x00 \x00D\x00e\x00f\x00e\x00n\x00s\x00e\x00 \x00I\x00n\x00f\x00o\x00r\x00m\x00a\x00t\x00i\x00o\x00n\x00 \x00a\x00n\x00d\x00 \x00T\x00e\x00c\x00h\x00n\x00o\x00l\x00o\x00g\x00y\x00" wide nocase
$string_agency_1_ascii = "Federal Bureau of Investigation (FBI)" ascii nocase
$string_agency_1_wide = "F\x00e\x00d\x00e\x00r\x00a\x00l\x00 \x00B\x00u\x00r\x00e\x00a\x00u\x00 \x00o\x00f\x00 \x00I\x00n\x00v\x00e\x00s\x00t\x00i\x00g\x00a\x00t\x00i\x00o\x00n\x00 \x00(\x00F\x00B\x00I\x00)\x00" wide nocase
$string_agency_2_ascii = "National Security Agency (NSA)" ascii nocase
$string_agency_2_wide = "N\x00a\x00t\x00i\x00o\x00n\x00a\x00l\x00 \x00S\x00e\x00c\x00u\x00r\x00i\x00t\x00y\x00 \x00A\x00g\x00e\x00n\x00c\x00y\x00 \x00(\x00N\x00S\x00A\x00)\x00" wide nocase
$string_agency_3_ascii = "Cybersecurity and Infrastructure Security Agency (CISA)" ascii nocase
$string_agency_3_wide = "C\x00y\x00b\x00e\x00r\x00s\x00e\x00c\x00u\x00r\x00i\x00t\x00y\x00 \x00a\x00n\x00d\x00 \x00I\x00n\x00f\x00r\x00a\x00s\x00t\x00r\x00u\x00c\x00t\x00u\x00r\x00e\x00 \x00S\x00e\x00c\x00u\x00r\x00i\x00t\x00y\x00 \x00A\x00g\x00e\x00n\x00c\x00y\x00 \x00(\x00C\x00I\x00S\x00A\x00)\x00" wide nocase
$string_product_id_ascii = "AA22-047A" ascii nocase
$string_product_id_wide = "A\x00A\x002\x002\x00-\x000\x004\x007\x00A\x00" wide nocase
$string_cdc_abbr_ascii = "U.S. cleared defense contractors (CDCs)" ascii nocase
$string_cdc_abbr_wide = "U\x00.\x00S\x00.\x00 \x00c\x00l\x00e\x00a\x00r\x00e\x00d\x00 \x00d\x00e\x00f\x00e\x00n\x00s\x00e\x00 \x00c\x00o\x00n\x00t\x00r\x00a\x00c\x00t\x00o\x00r\x00s\x00 \x00(\x00C\x00D\x00C\x00s\x00)\x00" wide nocase
$string_mfa_ascii = "multifactor authentication" ascii nocase
$string_mfa_wide = "m\x00u\x00l\x00t\x00i\x00f\x00a\x00c\x00t\x00o\x00r\x00 \x00a\x00u\x00t\x00h\x00e\x00n\x00t\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00" wide nocase
$string_m365_logs_ascii = "M365 Unified Audit Logs" ascii nocase
$string_m365_logs_wide = "M\x003\x006\x005\x00 \x00U\x00n\x00i\x00f\x00i\x00e\x00d\x00 \x00A\x00u\x00d\x00i\x00t\x00 \x00L\x00o\x00g\x00s\x00" wide nocase
condition:
// Detection logic:
// The rule triggers if at least one network IOC is found AND
// at least two distinct descriptive text patterns from the intelligence report are found.
// This combination aims to reduce false positives by requiring both technical IOCs
// and contextual intelligence strings, making it suitable for threat hunting.
(1 of ($network_*)) and (2 of ($string_*))
}
```
// 08Keywords
{'keyword': 'accounts', 'score': 28.766}
{'keyword': 'information', 'score': 28.4355}
{'keyword': 'access', 'score': 23.1698}
{'keyword': 'actors', 'score': 20.3724}
{'keyword': 'credentials', 'score': 16.821}
{'keyword': 'activity', 'score': 16.3715}
{'keyword': 'threat', 'score': 15.8043}
{'keyword': '2021', 'score': 15.5424}
{'keyword': 'network', 'score': 15.0893}
{'keyword': 'domain', 'score': 13.275}