The United States says Russian state-sponsored hacking group Energetic Bear has successfully compromised state, local, territorial, and tribal (SLTT) government networks and stole data from at least two servers.
Also referred to as Berserk Bear, Crouching Yeti, Dragonfly, Havex, Koala, and TeamSpy, the hacking group has been active for at least a decade, mainly focused on the energy sector in the United States and Europe.
In a Thursday alert, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) revealed that the threat actor has been observed targeting the networks of various U.S. SLTT governments, as well as those of aviation organizations.
The attacks, conducted since at least September 2020, “targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers,” the alert reads.
Using stolen credentials for initial access and lateral movement, the hackers then locate high value assets and exfiltrate data of interest.
In at least one incident involving an SLTT network, Energetic Bear was able to access documents related to sensitive network configurations and passwords; standard operating procedures (SOP); IT instructions; vendors and purchasing information; and printing access badges.
According to the FBI and CISA, the threat actor does not appear to have intentionally disrupted the operations of organizations in aviation, education, elections, or government sectors.
“However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities,” the alert reads.
The attacks might also be seen as a risk to elections information that is stored on SLTT government networks, but there’s no evidence that such data has been compromised, the FBI and CISA note. Monitoring of the activity will continue, the two agencies say.
In an emailed comment, John Hultquist, senior director of analysis at Mandiant Threat Intelligence, said that the threat actor behind this activity has been observed targeting election-related organizations before. However, it does not appear capable of altering votes.
“The actor, who we call TEMP.Isotope, has successfully breached systems in the US, EU, and elsewhere and have targeted energy providers, water infrastructure, and even airports. Though we have not seen them disrupt these systems, we believe they are compromising them to hold them under threat, as a contingency, and possibly a warning. On one occasion we have seen them target an election related organization,” Hultquist said.
“We have actively tracked targeting of state and local systems by this actor in the lead up to the election. The timing of these incidents, the targeting of organizations with ties to election administration, and the aggressive past behavior of this actor, all underscore the seriousness of this activity. However, we have no information which suggests these actors are capable or even willing to alter votes. Access to these systems could enable disruption or could be an end in itself, allowing the actor to seize on perceptions of election insecurity and undermine the democratic process,” he concludes.
As part of the observed attacks, Turkish IP addresses were used to connect to the compromised networks. The hackers were seen attempting brute force logins, SQL injections, as well as scanning for or exploiting known vulnerabilities, such as CVE-2019-19781 (Citrix ADC and Gateway), CVE-2020-0688 (Microsoft Exchange), CVE 2019-10149 (Exim SMTP), CVE-2018-13379 (Fortinet VPN), and CVE-2020-1472 (Windows Netlogon).
The FBI and CISA also list a series of steps organizations can take to mitigate the risks posed by the threat actor, including applying the available patches for the targeted applications and remote access services, isolating Internet-facing servers, implementing application controls, and blocking RDP connections, among others.
“Organizations must maintain a robust layered defense network with monitoring and detection to reduce an attack’s risk by a known vulnerability and exploit. The recent attacks from nation-state cybersecurity operatives use known vulnerabilities to access an organization’s networks and systems to steal data,” James McQuiggan, security awareness advocate at KnowBe4, commented. “Essentially, without patching or updating external facing systems or network devices, it’s like leaving a car door wide open in the middle of a street. It makes it easy for criminals to jump in and steal it.”
Related: Zerologon Chained With Fortinet, MobileIron Vulnerabilities in U.S. Government Attacks
Related: Attack on San Francisco Airport Linked to Russian Hackers
More from Ionut Arghire
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- US, Israel Provide Guidance on Securing Remote Access Software
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
