Russian attackers have continued to target the networks of state, tribal, and local government agencies, along with the networks of private companies in key industries in the leadup to the presidential election, exploiting known vulnerabilities to gain access and steal sensitive data, a new warning from the FBI and CISA says.
The two agencies on Thursday published an advisory attributing an ongoing series of attacks to a well-known Russian threat actor group known variously as Energetic Bear, Dragonfly, and Crouching Yeti. The group has targeted companies in a number of different countries over the last decade and has mainly focused its operations on targets in the oil and gas industries. However, Energetic Bear also attacks critical infrastructure targets and government agencies in some cases, and the new warning from the U.S. government says the group has turned its attention to state, local, territorial, and tribal (SLTT) government entities in recent months.
“The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers,” the advisory says.
“To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.”
As part of these intrusion attempts, Energetic Bear has been scanning for and attempting to exploit several publicly known vulnerabilities in enterprise systems, including a directory traversal bug in Citrix appliances that was disclosed in December 2019. The group also has targeted several older flaws in Windows Server, and a remote command execution vulnerability in the Exim mail transfer agent that has been public since June 2019. The attackers are using stolen administrator credentials for initial access in many cases and then moving laterally through the networks to steal sensitive information, such as network configuration schemes and instructions for printing access badges.
"FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations."
The tactics are typical of those used by many advanced threat groups, as is the use of watering hole websites to attract potential victims in a specific industry or community. Energetic Bear set up several watering hole sites that were apparently meant to attract victims in the aviation industry, and also has used a VPN to connect to victim networks.
“More recently, the APT actor enumerated and exploited a Fortinet VPN vulnerability (CVE-2018-13379) for Initial Access and a Windows Netlogon vulnerability (CVE-2020-1472) to obtain access to Windows Active Directory (AD) servers for Privilege Escalation within the network. These vulnerabilities can also be leveraged to compromise other devices on the network and to maintain Persistence,” the advisory says.
The warning from the FBI and CISA comes two weeks after the agencies published a separate advisory about APT groups exploiting the Netlogon vulnerability in conjunction with other flaws to target critical infrastructure.
“This recent malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks. Although it does not appear these targets are being selected because of their proximity to elections information, there may be some risk to elections information housed on government networks,” that advisory says.