In a recent campaign of cyberattacks, Russia has targeted the state, network aviation and local governments. According to Politico, federal officials say that the Russian government has succeeded in stealing data from at least two victims.
On Oct. 22, a Russian hacking team that is best known for attacks on energy companies “conducted a campaign against a wide variety of U.S. targets” including “dozens” of state and local governments, the Federal Bureau of Investigation (FBI)
This information was released via a joint cybersecurity advisory alert (AA20-296A) that was written by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA). The advisory contained information on Russian state-sponsored advanced persistent threat (APT) actor activity targeting various U.S. state, local, territorial and tribal (SLTT) government and aviation networks. The alert states:
“Since at least September 2020, a Russian state-sponsored APT actor, known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting, has conducted a campaign against a wide variety of U.S. targets.”
The Russian actors have targeted dozens of U.S. SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure and as of October 1, 2020, extracted data from at least two victim servers.
The Russian state-sponsored APT actors are obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network and locate high-value assets in order to exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to:
- Sensitive network configurations and passwords. Such things as IP addresses, network maps, user names and passwords were compromised.
- Standard operating procedures (SOP) that serve as tasking instructions and multi-factor authentication (MFA) were accessed. This includes thumbprint readers, common access cards (or CAC’s) and possible eye retina scan files used for individual access.
- IT instructions, such as how to request and conduct password resets as both an authorized user and system administrator.
- Instructions for printing access badges that would allow unauthorized users access to restricted areas.
To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections or government operations. However, the actor may be seeking access to obtain future disruption options to influence U.S. policies and actions or to delegitimize SLTT government entities. As this recent activity has been directed at SLTT government networks, there may be some risk to election information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that show the integrity of elections data has been compromised. Due to the heightened awareness surrounding election infrastructure and the targeting of SLTT government networks, the FBI and CISA will continue to monitor this activity and its proximity to election infrastructure. The report can be downloaded in a PDF version for future reference.
Politico reports that during
U.S. intelligence analysts monitoring Russian networks have concluded that Moscow may use access to state and local networks to sow chaos if the election remains unresolved after polls close, The New York Times reported.
The United States Institute For Peace reports that tensions between the U.S. and Iran increasingly played out in cyberspace; both governments acknowledged that cyberattacks were central to their strategies. While the scope was unknown, cyberspace has turned into a virtual battlefield, offering an alternative to kinetic military action that could lead to full-scale war, which both Washington and Tehran sought to avoid.
On July 23, 2020, Foreign Minister Seyed Abbas Mousavi told reporters that the longstanding cyber campaign against Iran’s infrastructure had escalated in recent months. “A couple of cyberattacks on a broader scale have been launched against the country’s infrastructure. One can say they have been sponsored or launched by [foreign] governments,” Mousavi said.
“Iran has identified the perpetrators sponsoring and directing the attacks — in some cases the sponsor state — and the groups aiding and abetting the attacks,” he added. “Given Mr. Trump’s order, it would be perfectly natural to say that the U.S. government will be the prime suspect for any cyberattack against Iran hereafter, unless the contrary is proved.”
According to Yahoo News, in September 2018, Trump granted the CIA permission to conduct a series of covert cyber operations against Iran and other targets. The authorization, known as a presidential finding, gives the spy agency more freedom in both the kinds of operations it conducts and who it targets, undoing many restrictions that had been in place under prior administrations. The finding allows the CIA to more easily authorize its own covert cyber operations, rather than requiring the agency to get approval from the White House. This directive gives the CIA power to be on the offensive against a handful of countries such as Russia, China, Iran and North Korea, which are directly mentioned in the document.
The CIA’s powers are not about hacking to collect intelligence. Instead, they open the way for the agency to launch offensive cyber operations with the aim of producing disruption. This includes cutting off electricity or compromising an intelligence operation by dumping classified documents online, as well as the destruction of government networks, similar to the U.S.-Israeli 2009 Stuxnet attack, which destroyed centrifuges that Iran used to enrich uranium gas for its nuclear program. It also makes it easier for the CIA to damage adversaries’ critical infrastructure, such as petrochemical plants, and to engage in the kind of hack-and-dump operations that Russian hackers and WikiLeaks popularized, in which tranches of stolen documents or data are leaked to journalists or posted on the internet. Lastly, it allows them to conduct disruptive operations against organizations that were largely off-limits previously, such as banks and financial institutions.
Another key change in the finding is that it lessened the evidentiary requirements that limited the CIA’s ability to conduct covert cyber operations against entities like media organizations, charities, religious institutions or businesses believed to be working on behalf of adversaries’ foreign intelligence services, as well as individuals affiliated with these organizations, Yahoo News reports.