The FBI and the US government’s Cybersecurity and Infrastructure Security Agency on Thursday issued a joint warning that a Kremlin hacking crew is probing or breaking into systems belonging to the US government and aviation industry.
The joint advisory states that the team, known as Energetic Bear among other monikers, has been specifically going after US state, local, territorial, and tribal (SLTT) government networks, as well as aviation, since at least September 2020. We’re told:
It appears the goal of the Russians is to obtain the necessary inside information or access to systems to ultimately stir up civil unrest and distrust in the results of the November 3 US elections, and convince citizens to question the outcome. With US officials urging people to rely on local governments, and other trusted sources such as top-tier media, for election news and results, we can easily see why Moscow wants to meddle with those organizations. Voting infrastructure is said to be unaffected.
“The actor may be seeking access to obtain future disruption options, to influence US policies and actions, or to delegitimize SLTT government entities,” the advisory warned.
“As this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections [sic] information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised.”
Iran sent threatening pro-Trump emails to American Democrats, Russia close behind, says US intelligence
Energetic Bear first popped up on security radars in 2014, when it was fingered for attacks against the energy sector, and were specifically called out by the US in 2018. But now they are going after government networks, and also some aviation targets, in a campaign that may go back to February.
The agencies note that the crew attack public-facing servers with brute-force login attempts and SQL injection attacks, and seem to specialize in exploiting Microsoft and Citrix flaws. Many of the vulnerabilities discussed in the advisory were also named in the NSA’s warning earlier this week about holes that are exploited by Chinese hackers, and should be patched ASAP if not already.
The Russians also set up web domains masquerading as legit addresses as part of their phishing campaign to get access to networks. The gang obtains “user and administrator credentials to establish initial access,” then performs “lateral movement once inside the network, and locates high value assets in order to exfiltrate data,” we’re told.
There’s a full range of IP addresses the Energetic Bear team are using in the advisory, although the agencies warn the miscreants likely change their IP addresses rapidly. Otherwise the advice is the same as normal: patch everything, check your multi-factor authentication systems are set up, in use, and working properly, and watch out for suspicious activity. ®