Russian State-Sponsored APT Threat Actor Compromises U.S. Government Targets
The Russian sponsored APT known as Berserk Bear, Energetic Bear, TeamSpy, or Dragonfly has conducted a campaign against a wide range of U.S. based targets. They have targeted various State, Local, Territorial and Tribal government networks, as well as aviation networks. This includes the attempted intrusions of several SLTT and aviation networks, compromise of network infrastructure, and exfiltration of data from two victim servers as of October 1, 2020. The Russian sponsored APT is harvesting user and administrative credentials in order to establish initial access for further lateral movement to locate high value assets which it can later exfiltrate data.
As described by the FBI, in at least one scenario this APT has successfully accessed documents which has sensitive network configuration and passwords, standard operating procedures and IT instructions relating to security, vendors and purchasing information, and printing access badges. The FBI claims that there is no evidence that the APT has disrupted aviation, education, elections or government operations but may be planning or preparing to do so in the future. They have also theorized that this APT has clear plans to disrupt, influence or to delegitimize SLLT government entities and/or U.S. policies. Election information remains at some risk level on SLTT networks.
Several Office 365 accounts have been compromised on at least one victim network according to the FBI. Among various technical details, the threat actors are using a Turkish IP addresses and attempted SQL injection on victim websites. Alongside hosting malicious domains, the APT scans for Citrix and Exchange servers to exploit CVE-1029 and CVE-2020-0688. The FBI also recommends that if your have the CVE-2020-1472 vulnerability, any entity that is recognized as SLTT should assume your AD has been compromised. Among other guides, updating VPN’s being used and discontinuing those that are not, implementing MFA, patching and updating are some of things suggested by the FBI. For a more technical details view the full article below.