Russian APT group 'Energetic Bear' attacking state and local networks

There's no evidence to suggest that the group has been able to compromise the integrity of elections data

The FBI and CISA have published a joint alert to warn organisations of ongoing cyber attacks against a wide variety of US targets by a Russian state-sponsored hacking group.

According to the US government agencies, the APT group known as Energetic Bear has been targeting various US state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks, since at least September, and was able to steal data from at least two servers.

Energetic Bear is variously known as DragonFly, TEMP.Isotope, TeamSpy, Koala, Berserk Bear, and Crouching Yeti in the cyber security community.

The officials said that hackers are targeting publicly known security bugs in efforts to compromise network devices, expand their presence on the networks and steal sensitive data from victim machines.

The hackers are targeting vulnerabilities including CVE-2020-0688 (Microsoft Exchange email servers), CVE-2019-19781 (Citrix access gateways), CVE-2018-13379 (Fortinet SSL VPNs), CVE 2019-10149 (Exim mail agents) and CVE-2020-1472 (Windows Netlogon bug).

"The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network and locate high value assets in order to exfiltrate data," the advisory said.

In one instance, the group was able to laterally traverse an SLTT victim network. After compromising the network, they accessed documents related to:

• Passwords and sensitive network configurations
• Vendors information
• SOP such as enrolling in multi-factor authentication
• Password reset requests
• Access badge printing

Officials said they currently have no evidence to suggest that the Russian group has been able to compromise the integrity of elections data. However, they may be seeking access to networks to influence US policies, or to delegitimise SLTT government entities in the future, the officials added.

The advisory from federal agencies comes just two days after the US Justice Department charged six intelligence officers at Russia's Main Centre for Special Technologies over a series of cyber attack, including NotPetya.

In the indictment, the Justice Department said that the six individuals - Artem Ochichenko, Yuriy Andrienko, Pavel Frolov, Sergey Detistov, Anatoliy Kovalev and Petr Pliskin - were responsible for conducting destructive attacks on behalf of the Russian state.

The group, also known as Sandworm, Voodoo Bear, Telebots or Iron Viking, was active from around 2015 to 2019,and launched multiple attacks to target the Spring 2017 French election, the 2018 Winter Olympic Games in South Korea, and other significant events/entities in different countries.

On Wednesday, US intelligence officials also warned that Iran has been trying to interfere with the 2020 presidential election by sending threatening emails to American voters.

The emails claim to come from pro-Trump right-wing group "Proud Boys" and warn recipients with consequences if they don't vote for Donald Trump.