US Military, Defense Contractors Infected with Infostealers: Hudson Rock
Hundreds of computers in the U.S. Army and Navy and high-profile defense are infected with information-stealing malware that can lead to data being stolen and offered on a cybercrime marketplace for as little as $10 a system, according to researchers with cybersecurity firm Hudson Rock.
In a report this month, researchers with the Israel company found as many as 398 infected employees at Honeywell and dozens more each at Boeing, Lockheed Martin, and Leidos, as well as 71 in the U.S. Army and 30 in the U.S. Navy. In addition, more were detected at the FBI and the U.S. Government Accountability Office.
“Each one of these infected employees is a real person,” the analysts wrote. “It could be an engineer working on military AI systems, a procurement officer managing classified contracts, a defense analyst with access to mission-critical intelligence. At some point, these employees downloaded malware on a device they used for work, exposing not just their credentials, but potentially their entire digital footprint: browsing history, autofill data, internal documents, and session cookies for sensitive applications.”
A compromise of these systems also could create risks for third-party domains, from other contractors or agencies to tech vendors, they wrote.
The Threat of Infostealers
Hudson Rock, founded in 2020, has a history of detecting infostealers, having identified more than 30 million infected computers, with one in five having corporate credentials stored on the systems, the report’s authors wrote.
Instead of actively trying to brute force their way into organizations’ networks, infostealers wait for a user to make a mistake – such as downloading pirated software containing the malware – and then exfiltrate data like VPN credentials, multifactor authentication (MFA) sessions, documents, email logins, or internal development tools.
Among the infostealers found on systems from military branches and defense contractors were RedLine, Lumma, Raccoon, Azorult, and StealC.
Far-Reaching Implications
The Hudson Rock researchers pointed to the 398 compromised Honeywell systems that leaked access to authentication portals and development tools like Bitbucket, SharePoint, SAP and exposed 472 third-party corporate credentials for such integrations as Microsoft, Cisco, and SAP.
“If an adversary wanted to infiltrate a defense contractor’s supply chain, this would be their golden ticket,” they wrote, noting other data breach cases that involved credentials stolen by such malware, including Change Healthcare, AT&T, and Schneider Electric.
However, they noted, “this isn’t just a Honeywell problem – it’s a systemic issue that affects every company connected to them, including firms like Anduril, SpaceX, and Palantir. Even companies that have no infected employees can still be compromised – because their partners, suppliers, and vendors are leaking data.”
On the military side, the infections of 30 Navy personnel led to leaked authentication data for Confluence, Citrix, Outlook web access (OWA), and FTP, as well as 256 leaked third-party credentials from the likes of cybersecurity firm McAfee and USALearning and other military training platforms.
Concerning, But Not Surprising
Hudson Rock’s report “is incredibly concerning given the nature of the data and the individuals targeted,” said Thomas Richards, principal consultant and network and red team practice director at cybersecurity firm Black Duck. “The data stolen could allow an adversary into critical networks and take steps to compromise additional people and systems.”
That said, the problem isn’t new, according to Kent Wilson, vice president of the global public sector at Bugcrowd.
“The reality is that when an adversary targets an individual, eventual compromise is inevitable, whether it’s in the defense sector or the private sector,” Wilson said. “Human behavior remains the weakest link in security, and no amount of investment in classified networks or perimeter security can fully prevent an employee from unknowingly downloading infostealer malware that exposes credentials. … Every business – whether they serve the [U.S. Department of Defense] or not – has employees who hold sensitive credentials that adversaries can exploit.”
However, organizations can make it more difficult for hackers by adopting continuous and proactive security programs and using such tools as bug bounties, security gaps, testing and vulnerability disclosure programs to detect security gaps before bad actors do, he said.
