Is it Iran or Russia's hackers we need to worry about? The Russians, definitely the Russians, says US intelligence

Energetic Bear team caught breaking into govt systems, no harm done to Nov 3 elections


The FBI and the US government's Cybersecurity and Infrastructure Security Agency on Thursday issued a joint warning that a Kremlin hacking crew is probing or breaking into systems belonging to the US government and aviation industry.

The joint advisory states that the team, known as Energetic Bear among other monikers, has been specifically going after US state, local, territorial, and tribal (SLTT) government networks, as well as aviation, since at least September 2020. We're told:

The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers ... In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to:

Sensitive network configurations and passwords; standard operating procedures, such as enrolling in multi-factor authentication (MFA); IT instructions, such as requesting password resets; vendors and purchasing information; and printing access badges.

It appears the goal of the Russians is to obtain the necessary inside information or access to systems to ultimately stir up civil unrest and distrust in the results of the November 3 US elections, and convince citizens to question the outcome. With US officials urging people to rely on local governments, and other trusted sources such as top-tier media, for election news and results, we can easily see why Moscow wants to meddle with those organizations. Voting infrastructure is said to be unaffected.

"The actor may be seeking access to obtain future disruption options, to influence US policies and actions, or to delegitimize SLTT government entities," the advisory warned.

"As this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections [sic] information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised."

Flags of US and Iran

Iran sent threatening pro-Trump emails to American Democrats, Russia close behind, says US intelligence

READ MORE

Energetic Bear first popped up on security radars in 2014, when it was fingered for attacks against the energy sector, and were specifically called out by the US in 2018. But now they are going after government networks, and also some aviation targets, in a campaign that may go back to February.

The agencies note that the crew attack public-facing servers with brute-force login attempts and SQL injection attacks, and seem to specialize in exploiting Microsoft and Citrix flaws. Many of the vulnerabilities discussed in the advisory were also named in the NSA's warning earlier this week about holes that are exploited by Chinese hackers, and should be patched ASAP if not already.

The Russians also set up web domains masquerading as legit addresses as part of their phishing campaign to get access to networks. The gang obtains "user and administrator credentials to establish initial access," then performs "lateral movement once inside the network, and locates high value assets in order to exfiltrate data," we're told.

There's a full range of IP addresses the Energetic Bear team are using in the advisory, although the agencies warn the miscreants likely change their IP addresses rapidly. Otherwise the advice is the same as normal: patch everything, check your multi-factor authentication systems are set up, in use, and working properly, and watch out for suspicious activity. ®

Narrower topics


Other stories you might like

  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    We'll see you around the Block

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading

Biting the hand that feeds IT © 1998–2022