In a recent cybersecurity incident, the U.S. government issued a statement claiming that state-sponsored Russian hackers attacked the U.S. agencies and successfully breached the government networks. CISA (Cybersecurity and Infrastructure Security Agency) and FBI (Federal Bureau of Investigation) issued a joint report regarding the issue, confirm the U.S. government officials.
“The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high-value assets to exfiltrate data. To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities,” reports FBI and CISA.
According to the U.S. agencies, the hacking group is called Energetic Bear (code name used by the cybersecurity industry). The hacking group is also infamous as Koala, Crouching Yeti, Havex, Dragonfly, TeamSpy, Berserk Bear, and TEMP. Isotope. From February 2020, the hackers targeted multiple US SLTT (state, local, territorial, and tribal) government networks. According to the FBI and CISA, the hackers also attacked aviation industry companies. As per the reports, Energetic Bear was able to attack government network infrastructures. By October 2020, it also stole data from two government servers. The attacks mentioned in the current CISA and FBI reports were also mentioned in a previous joint advisory report. In the earlier report, the agencies revealed how the Energetic Bear attacked the U.S. government’s networks using Windows bugs and VPN appliances.
The present joint report links the attacks to the hacking group. It also provides information about the group’s tactics and strategies. As per the experts, the Russian hackers used common vulnerabilities to breach the network gears and exfiltrate data. According to Cyberscoop, “IP addresses used in the hacking were previously employed by the TEMP. Isotope group, according to Mandiant. The hackers exploited a recently revealed vulnerability in a protocol that Microsoft uses to authenticate its users. CISA, on Sept. 18, ordered all federal civilian agencies to update their software to address the flaw because of the risk it carried.”
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.