U.S. Says Russian Hacking Group Stole Data From Two Government Servers

Cyber Threat

The United States believes that Energetic Bear, a Russian state-sponsored hacking party, has effectively infiltrated state, provincial, territorial, and tribal (SLTT) government networks and stored data from at least two servers.

The hacker community, also known as Berserk Bear, Crouching Yeti, Dragonfly, Havex, Koala, and TeamSpy, has been involved for at least a decade, primarily focusing on the U.S. and European energy markets.

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) reported in a Thursday warning that the threat attacker was detected attacking the networks of different U.S. As well as those of aviation associations, SLTT governments.

“The warning reads that the attacks, carried out since at least September 2020,” targeted hundreds of SLTT government and aviation networks, attempted intrusions into many SLTT organizations, successfully breached network resources, and exfiltrated data from at least two victim servers as of October 1, 2020.

The hackers then find high-value objects and exfiltrate data of interest by using compromised passwords for initial entry and lateral movement.

Energetic Bear was able to view records relating to confidential network settings and passwords in at least one event involving an SLTT network; standard operating procedures (SOP); IT instructions; suppliers and purchasing information; and view badges for printing.

According to the FBI and CISA, it does not appear that the threat agent has purposely disturbed the activities of organizations in the transportation, education, election, or government sectors.

The attacker may, however, seek access to gain potential options for disturbance, to affect U.S. policies and acts, or to delegitimize SLTT government agencies, “reads the notice.”

The attacks can also be seen as a challenge to election data stored on SLTT government networks, but the FBI and CISA state that there is no indication that such data has been hacked. Activity reporting will continue, state the two organizations.

John Hultquist, senior research director at Mandiant Threat Intelligence, said in an emailed statement that the threat player behind this operation has previously been observed targeting election-related organizations. It does not, though, seem capable of altering votes.

The actor we call TEMP. The isotope has effectively abused processes in the US, the EU, and elsewhere, and has threatened sources of electricity, water, and even airports. Although we have not seen them destroy these structures, we suspect they are weakening them, as a precaution and probably an alert, to keep them under pressure. We saw them attack an election-related agency on one occasion,’ said Hultquist.

In the run-up to the election, we closely monitored this actor’s targeting of state and local processes. The timing of these events, the harassment of organizations with electoral administration links, and this actor’s violent past actions all underline the severity of this crime. We have no evidence, however, which means that these actors are capable or even willing to shift votes. Entry to such networks could be destructive or an end in itself, enabling the actor to understand the expectations of electoral vulnerability and weaken the democratic process, he concludes.

Turkish IP addresses were used as part of the detected attacks to link to the infected networks. Brute force logins, SQL injections, and searching for or leveraging established bugs, such as CVE-2019-19781 (Citrix ADC and Gateway), CVE-2020-0688 (Microsoft Exchange), CVE 2019-10149 (Exim SMTP), CVE-2018-13379 (Fortinet VPN), and CVE-2020-1472 (Windows Netlogon), have been attempted by hackers.

The FBI and CISA both list a range of actions that companies should take to minimize the threat actor’s threats, including the application of usable fixes for targeted systems and remote access networks, the isolation of Internet-facing servers, the installation of application philters, and the blocking, among other items, of RDP connexions.

In order to minimize the risk of an intrusion through a known weakness and manipulation, enterprises must develop a stable layered security network with monitoring and detection. James McQuiggan, the security awareness advocate at KnowBe4, focused on the latest attacks by nation-state cybersecurity agents leveraging known vulnerabilities to penetrate the networks and infrastructure of an enterprise to steal data. “Essentially, it is like having a vehicle door wide open in the middle of a street without patching or upgrading outward-facing equipment or network gadgets. For thieves, it makes it easy to hop in and rob it.

Melina Richardson
Melina Richardson is a Cyber Security Enthusiast, Security Blogger, Technical Editor, Certified Ethical Hacker, Author at Cybers Guards. Previously, he worked as a security news reporter.