FBI and CISA Caution of APT Attack that Already Exfiltrated Data from Government Systems

The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory about Russian state-sponsored advanced persistent threats (APT) identified in various state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks.

The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory about Russian state-sponsored advanced persistent threats (APT) identified in various state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks.

The interference of APT actors in the US infrastructure seems to have increased in the past few weeks. Law agencies issued a similar advisory a couple of weeks ago, although of a more limited scope. Now, there are more targets. Early reports say hackers managed to exfiltrate some data as well.

The activity, coming from a Russian state-sponsored APT actor known under names such as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti and Koala, started in September 2020. The hackers targeted numerous state, local, tribal, and territorial (SLTT) governments and aviation networks, attempted intrusions at several SLTT organizations, and successfully compromised network infrastructure.

What really sets this attack apart is that, on October 1, the Russian-sponsored APT actor managed to exfiltrate data from two servers, although the agencies did not specify where the intrusion took place.

“The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data,” states the advisory.

“The FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.”

For now, it”s unclear whether the attackers have a clear target in mind or whether they are trying to compromise as many victims as possible in the hopes of getting something more important along the way. The fact that the intrusions occurred so close to the upcoming November 3 US elections also raises questions.

The agencies also published the indicators of compromise, along with possible mitigations.