23 October 2020

Energetic Bear APT targets US governments, avaition networks


Energetic Bear APT targets US governments, avaition networks

A hacker group believed to have ties to Russia had targeted dozens of the US state and local governments and aviation networks since September this year. That’s according to a joint security advisory released Thursday by The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA).

The two agencies said that since at least September the threat actor, tracked as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala, has tried to break into various U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks. In some instances intrusion resulted in successful compromise of network infrastructure, and as of October 1, 2020, the hackers stole data from at least two victim servers.

The hackers gain initial access to the victim network using user and administrator credentials obtained via brute force attacks. The threat actor has been observed using Turkish IP addresses (213.74.101[.]65, 213.74.139[.]196, and 212.252.30[.]170) to attempt brute force logins and conduct SQL injection attacks.

The hackers also conducted scans for vulnerable Citrix and Microsoft Exchange servers, likely for further exploitation. The advisory said the attackers continue to exploit a Citrix Directory Traversal bug (CVE-2019-19781) and a Microsoft Exchange remote code execution flaw (CVE-2020-0688), as well as a Fortinet VPN vulnerability (CVE-2018-13379). In addition, the hackers has been observed using a recently disclosed (and patched) Windows Netlogon vulnerability (CVE-2020-1472) to obtain access to Windows Active Directory (AD) servers and elevate privileges.

Once in the network the attackers search for high value assets in order to exfiltrate data, the two agencies said. In at least one compromise the malicious actor gained access to documents related to sensitive network configurations and passwords, standard operating procedures (SOP), IT instructions, such as requesting password resets, vendors and purchasing information, printing access badges.

So far, there is no evidence that the threat actor has intentionally disrupted any aviation, education, elections, or government operations, the FBI and the CISA said.


Back to the list

Latest Posts

Belden reveals data breach affecting current and former employees, business partners

Belden reveals data breach affecting current and former employees, business partners

The stolen information may have included names, birthdates, government-issued identification numbers, and bank account information.
26 November 2020
Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

The data dump contains usernames, passwords, access levels, and the original unmasked IP addresses of users connected to the VPNs.
26 November 2020
FBI warns of spoofed FBI-related websites

FBI warns of spoofed FBI-related websites

Spoofed domains and email accounts could be used by foreign actors and cybercriminals to spread false information, deliver malware, or collect sensitive data.
25 November 2020