- US military agencies and defense contractors hit by infostealer malware
- The malware can exfiltrate victim’s data
- Researchers discovered thousands of infected devices
Despite their multi-billion dollar budgets, US agencies have been infected by Infostealer malware, and have had credentials and information stolen from official devices.
A report from Hudson Rock has revealed for as little as $10 per computer, criminals can ‘purchase stolen data from employees who work in classified defense and military sectors’.
Infostealers are a type of malware that has developed as a crucial tool for cybercriminals. As the name suggests, they gather sensitive information stored on a victim’s device, usually to leverage in identity theft, extortion, or financial fraud – but in this case, it’s likely to be confidential or classified data, potentially relating to national security.
Infostealers don’t rely on brute-force attacks, but instead prey upon human error – here’s what we know so far.
Supply chain compromise
Researchers found infected users from six contractors; Lockheed Martin, BAE systems, Boeing, Honeywell, L3Harris, and Leidos. These defense contractors work on seriously advanced military technology, including warships, F-35 jets, and more – Lockheed Martin alone was awarded $5.1 billion worth of contracts by the Department of Defence in 2024.
In total, 472 third-party corporate credentials were exposed, including Cisco, SAP Integrations, and Microsoft from contractors. Businesses, organizations, and even government departments are increasingly interdependent, and supply chain vendors have been frequently utilized in attacks– “if an adversary wanted to infiltrate a defense contractor’s supply chain, this would be their golden ticket,” the report confirms.
The report outlined an example of how Honeywell’s infrastructure was compromised – including its internal intranet, an Active Directory Federation Services login, and an Identity and Access Management system. Researchers discovered 398 infected employees and 18,527 infected users for Honeywell systems over the years, and just one compromised employee held 56 corporate credentials for Honeywell’s infrastructure, as well as 45 additional third-party credentials – showing the scale of the risk.
But contractors weren’t the only victims, with infections found in US Army, US Navy, FBI, and Government Accountability Office (GAO) systems too, with local authentication data for OWA, Confluence, Citrix, and FTP found, which ‘suggests an adversary could move laterally inside military systems’.
Third-party data breaches have become a major security concern, and emerging threats have found that almost all (98%) of European companies have experienced a third-party breach in the last year.
In late 2024, the US Treasury Department declared a ‘major incident’ after experiencing a breach through its vendor ‘BeyondTrust’ – so these threats are not just hypothetical. There are real dangers associated with national security if third-party vendors are compromised, especially if the vendors hold classified information.
Infostealer risks
How serious is this? Well, it’s not great. As the report points out, “if Infostealers can breach Lockheed, Boeing, the U.S. Army, and the FBI, they can breach anyone”. These breaches reinforce the idea that any organization, no matter how good their cyber hygiene is, or how strong their cybersecurity defenses, can be compromised.
The most common infostealers are Lumma Stealer, Vidar, RedLine, and Medusa – and these can exfiltrate your data in under a minute, so here are some tips to stay safe.
Unfortunately, there’s no one way to avoid Infostealers, it’s mostly about keeping good cyber hygiene. Infostealers primarily rely on user error, like accidentally downloading an infected PDF, pirated software crack, or clicking a malicious link.
Much like with social engineering attacks, the best defense is being aware and staying vigilant. Don’t click on links you don’t trust, don’t visit unverified sites, and if you work in an industry like defense, security, or a government agency – it’s probably best to stick strictly to official sites.
Infostealers are a type of malware, so deploying the best malware removal software can make sure there’s no lingering threat – but to dodge the threat, you need to be on the ball.
Make sure you have a strong password and use unique credentials for each login – it’s a faff, but it keeps you protected. If one password is compromised, then all others can be if you reuse your passwords.
Organizations should be sure to run regular and thorough cybersecurity training sessions for all employees at every level, so that everyone understands the risks and the severity of a breach.
Assessing the security posture of software suppliers and vendors can save you from a critical breach, and with breaches often costing millions of dollars and damaging an organization’s reputation, this can be a crucial safety policy for your company.
