A recent analysis by cybersecurity firm Hudson Rock on its Infostealers site has uncovered alarming vulnerabilities within the US military and its defense contractors due to widespread info stealer malware infections.
According to the company, these infections have compromised sensitive data across several high-profile entities, including Lockheed Martin, Boeing, Honeywell, the US Army, Navy, FBI, and the Government Accountability Office (GAO).
The compromised data encompasses VPN credentials, email systems, and access to classified procurement portals, raising significant concerns about national security.
Oops, I Did It Again
“Each one of these infected employees is a real person — it could be an engineer working on military AI systems, a procurement officer managing classified contracts, a defense analyst with access to mission-critical intelligence,” the report reads.
“At some point, these employees downloaded malware on a device they used for work, exposing not just their credentials, but potentially their entire digital footprint: browsing history, autofill data, internal documents, and session cookies for sensitive applications.”
Hudson Rock posed the question: “If these organizations — the backbone of US national security — are infected, what does that say about their ability to defend against more sophisticated attacks?”
Ocean’s $10
Infostealer malware operates by infiltrating an employee’s device—often through apparently harmless downloads like game modifications, pirated software, or malicious PDFs—and exfiltrating a wide range of data.
This might include VPN credentials, multi-factor authentication (MFA) session cookies, email logins, internal development tools, stored documents, browser autofill data, and browsing history.
Alarmingly, bad actors can acquire this stolen information for as little as $10 per compromised device on underground marketplaces.
These dark marketplaces mirror legitimate businesses by providing user-friendly interfaces, enabling malefactors to search for specific credentials, such as those associated with military domains like army.mil.
One particularly concerning instance involved an infected machine belonging to an FBI employee, where active session cookies for the Bureau’s official website were discovered. It’s possible that these session cookies could enable unsanctioned access to sensitive systems without the need for login credentials, effectively bypassing MFA measures.
Mission: Compromised
The analysis also highlights infections among employees of major defense contractors.
For example, Honeywell experienced 398 employee infections over the years, which resulted in the exposure of authentication portals and development tools including Bitbucket, SharePoint, and SAP.
Also, 472 third-party corporate credentials were compromised, affecting integrations with Microsoft, Cisco, and SAP.
Roger Grimes, Data-driven Defence Evangelist at KnowBe4, says: ”The Infostealer is a secondary problem. The real program and question is how the infostealers are getting on military computers in the first place. Was it social engineering (most common), unpatched software or firmware (second most likely cause) or something else.”
Either way, Grimes says the method used to enable the infostealer to gain initial access can be used by threat actors to do anything. “Adversarial spies, like Russia or China, could gain access. Ransomware taking down the infrastructure could be launched. If the involved department doesn’t take care of how the infostealer is gaining initial access, they are going to have far greater problems than just stolen passwords.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.