Russian state hackers stole data from US government networks

DHS Cybersecurity and Infrastructure Security Agency (CISA) and the FBI today warned that a Russian state-sponsored APT threat group known as Energetic Bear has hacked and stolen data from US government networks during the last two months.

Energetic Bear (also tracked as Berserk Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala), a hacking group active since at least 2010, has targeted the networks of both US state, local, territorial, and tribal (SLTT) government organizations and aviation entities.

Attackers stole data from government networks

"The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers," the two agencies said today.

"The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data."

According to the joint alert, in at least one incident involving a compromised government network, the Rusian state-backed hacking group has gained access to sensitive files including:

• Sensitive network configurations and passwords.
• Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
• IT instructions, such as requesting password resets.
• Vendors and purchasing information.
• Printing access badges.

No info on hackers' end goals

The hackers used several methods in their attacks including brute-force attempts, Structured Query Language (SQL) injection attacks, and also scanned for and tried to exploit vulnerable Citrix, Fortinet, and Microsoft Exchange servers.

They also used compromised of Microsoft Office 365 (O365) accounts and attempted to exploit the ZeroLogon Windows Netlogon vulnerability (CVE-2020-1472) for privilege escalation on Windows Active Directory (AD) servers.

"To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations," the agencies added.

"However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities."

Additional information on the group's attacks, mitigation measures, and an extensive list of indicators of compromise (IOCs) are available in the joint alert issued by the FBI and CISA.