NSA warns of Russian government-backed hackers aiming at US defense sector targets

The agency did not specificy which Russian hacking group was suspected.
The Russian flag flies above Russian parliament. (Getty Images)

The National Security Agency issued an alert Monday warning U.S. defense contractors to be on alert for Russian state-sponsored hackers exploiting a recently announced vulnerability.

The software issue, which affects VMware Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector, is known as a Command Injection Vulnerability, and could allow attackers to execute arbitrary commands on targets.

The Russian hackers, which the NSA did not identify more specifically, appear to have successfully accessed protected systems by exploiting the flaw, according to the NSA alert. In order to be able to exploit the flaw, hackers must already have access to the management interface of the device, suggesting they already have password-level access.

The agency urges system administrators to patch against the flaw as soon as possible.


Exploitation of the vulnerability could lead to the complete compromise of user data, according to VMWare. The company already released a patch for the flaw, rated to have a Common Vulnerability Scoring System score of a high 7.2.

The Russian government has consistently denied any involvement in malicious cyber-activity.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) urged industry to patch the vulnerability last week, though it did not disclose that Russia was taking advantage of the technical flaw.

The NSA advisory is just the latest alert the Pentagon’s signals intelligence agency has released on state-backed hacking in an effort to get IT staff to protect against nation-state threats. The NSA last year established a cybersecurity directorate to specifically focus on sharing more threat information publicly to boost collective defense.

“This cybersecurity advisory is provided as part of NSA’s mission to provide timely, relevant and actionable cybersecurity guidance to our partners in the Department of Defense, National Security Systems, and the Defense Industrial Base,” Neal Ziring, the Technical Director of the NSA Cybersecurity Directorate, said in a statement. “Any organization who uses the affected products should take prompt action to apply the vendor released patch.”


The NSA recently alerted the defense industrial base about 25 known vulnerabilities that were being exploited in campaigns run by Chinese government-backed hackers. In this case, that NSA did not identify which suspected Chinese hackers were behind the activity. The FBI and DHS had previously issued a report on China’s civilian intelligence and counterintelligence service, the Ministry of State Security (MSS), exploiting the same flaws.

The Cybersecurity Directorate previously focused on exposing campaigns from Russian hackers, known as APT28 or Fancy Bear, tied with Russia’s General Staff Main Intelligence Directorate’s 85th Main Special Service Center. The NSA has also recently been tracking Russian government hackers known as APT29 or Cozy Bear for their targeting of coronavirus vaccine research.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts