Connect with us

Hi, what are you looking for?



U.S. Says Russian Hackers Stole Data From Two Government Servers

The United States says Russian state-sponsored hacking group Energetic Bear has successfully compromised state, local, territorial, and tribal (SLTT) government networks and stole data from at least two servers.

The United States says Russian state-sponsored hacking group Energetic Bear has successfully compromised state, local, territorial, and tribal (SLTT) government networks and stole data from at least two servers.

Also referred to as Berserk Bear, Crouching Yeti, Dragonfly, Havex, Koala, and TeamSpy, the hacking group has been active for at least a decade, mainly focused on the energy sector in the United States and Europe.

In a Thursday alert, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) revealed that the threat actor has been observed targeting the networks of various U.S. SLTT governments, as well as those of aviation organizations.

The attacks, conducted since at least September 2020, “targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers,” the alert reads.

Using stolen credentials for initial access and lateral movement, the hackers then locate high value assets and exfiltrate data of interest.

In at least one incident involving an SLTT network, Energetic Bear was able to access documents related to sensitive network configurations and passwords; standard operating procedures (SOP); IT instructions; vendors and purchasing information; and printing access badges.

According to the FBI and CISA, the threat actor does not appear to have intentionally disrupted the operations of organizations in aviation, education, elections, or government sectors.

Advertisement. Scroll to continue reading.

“However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities,” the alert reads.

The attacks might also be seen as a risk to elections information that is stored on SLTT government networks, but there’s no evidence that such data has been compromised, the FBI and CISA note. Monitoring of the activity will continue, the two agencies say.

In an emailed comment, John Hultquist, senior director of analysis at Mandiant Threat Intelligence, said that the threat actor behind this activity has been observed targeting election-related organizations before. However, it does not appear capable of altering votes.

“The actor, who we call TEMP.Isotope, has successfully breached systems in the US, EU, and elsewhere and have targeted energy providers, water infrastructure, and even airports. Though we have not seen them disrupt these systems, we believe they are compromising them to hold them under threat, as a contingency, and possibly a warning. On one occasion we have seen them target an election related organization,” Hultquist said.

“We have actively tracked targeting of state and local systems by this actor in the lead up to the election. The timing of these incidents, the targeting of organizations with ties to election administration, and the aggressive past behavior of this actor, all underscore the seriousness of this activity. However, we have no information which suggests these actors are capable or even willing to alter votes. Access to these systems could enable disruption or could be an end in itself, allowing the actor to seize on perceptions of election insecurity and undermine the democratic process,” he concludes.

As part of the observed attacks, Turkish IP addresses were used to connect to the compromised networks. The hackers were seen attempting brute force logins, SQL injections, as well as scanning for or exploiting known vulnerabilities, such as CVE-2019-19781 (Citrix ADC and Gateway), CVE-2020-0688 (Microsoft Exchange), CVE 2019-10149 (Exim SMTP), CVE-2018-13379 (Fortinet VPN), and CVE-2020-1472 (Windows Netlogon).

The FBI and CISA also list a series of steps organizations can take to mitigate the risks posed by the threat actor, including applying the available patches for the targeted applications and remote access services, isolating Internet-facing servers, implementing application controls, and blocking RDP connections, among others.

“Organizations must maintain a robust layered defense network with monitoring and detection to reduce an attack’s risk by a known vulnerability and exploit. The recent attacks from nation-state cybersecurity operatives use known vulnerabilities to access an organization’s networks and systems to steal data,” James McQuiggan, security awareness advocate at KnowBe4, commented. “Essentially, without patching or updating external facing systems or network devices, it’s like leaving a car door wide open in the middle of a street. It makes it easy for criminals to jump in and steal it.”

Related: Zerologon Chained With Fortinet, MobileIron Vulnerabilities in U.S. Government Attacks

Related: Attack on San Francisco Airport Linked to Russian Hackers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...