This article was featured in the February 2024 edition of the Construction Industries of Massachusetts, Inc.’s Construction Journal.
Government contractors remain highly susceptible to cybersecurity attacks. In a recent press release, the United States Department of Justice (“DOJ”) announced that it had unsealed an indictment charging a group of cybersecurity hackers in connection with an alleged scheme affecting multiple parties, including government contractors.
The DOJ reported that the unsealed court documents alleged a multi-year hacking campaign in which a group of co-conspirators attempted to “compromise U.S. governmental and private entities, including the U.S. Departments of the Treasury and State, defense contractors, and two New York-based companies.” More than a dozen U.S. companies were impacted. According to the DOJ, the one of the co-conspirators (who remains at large) purported to work as a cybersecurity specialist when, in actuality, he “allegedly participated in a persistent campaign to compromise U.S. private sector and government computer systems.” The DOJ noted that he did so in a jurisdiction outside the United States “in which criminals are given free rein to target computer systems abroad and threaten U.S. sensitive information and critical infrastructure.”
The campaign involved the use of so-called “spear phishing” and other techniques “to infect more than 200,000 victim devices, many of which contained sensitive or classified defense information.” The DOJ explained that hackers trick email recipients to click on malicious links that infect victim devices with malware, which, in this case, allegedly compromised employee accounts.
These types of attacks present clear national security issues. The private sector victims “were primarily cleared defense contractors” working for the United States Department of Defense (although the hackers also targeted other companies, including an accounting firm). According to the DOJ, the hackers were able to comprise an administrator account within a defense contractor firm. This enabled the hackers to create unauthorized defense contractor accounts, which they then used to send additional spear-phishing attacks. The hackers also used “social engineering, which involved impersonating others, generally women, to obtain the confidence of victims.” If the charges are proven, the alleged conspirators will face multiple potential years in prison.
As we continue to move toward a “paperless” model of conducting business, contractors – including those public entities – must be sure to implement appropriate cybersecurity controls to attempt to mitigate the various and evolving risks posed by cybersecurity hackers. The hacking schemes are becoming more prevalent and more sophisticated every day, raising the risk that
those who are otherwise diligent may still fall victim to attacks. In addition to implementing appropriate system infrastructure to help protect against attacks like this, contractors should also conduct regular training so that their personnel are equipped to identify and protect against suspected attacks and ensure that appropriate emergency response actions are undertaken to mitigate
the consequences of a successful attack.
