Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

US Officials Blame Data Exfiltration on Russian APT Group

'Berserk Bear' Hacking Team Known for 'Gaining Footholds in Critical Infrastructure'
US Officials Blame Data Exfiltration on Russian APT Group
The FBI/CISA alert ties recent data exfiltration to the Russia-aligned nation state adversary group Berserk Bear (Image: CrowdStrike)

(This story has been updated to clarify that data was exfiltrated, but there is no evidence that the integrity of elections data has been compromised.)

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

U.S. intelligence officials say a Russia-backed hacking group has compromised some state and local government computer systems since at least September and exfiltrated data. So far, however, the attackers do not appear to have attempted to otherwise interfere with or disrupt those networks.

The attacks were described Thursday by the FBI and the Cybersecurity Infrastructure and Security Agency, just one day after U.S. government officials warned of increased cyber activity by Iran and Russia focused on the Nov. 3 presidential election. The two agencies say they have "no evidence to date that integrity of elections data has been compromised."

On Wednesday, Director of National Intelligence John Ratcliffe and FBI Director Christopher Wray blamed Iran for sending emails to registered Democrats in at least three states, threatening physical violence unless their votes were cast for President Donald Trump.

The Iranian government denies being behind the campaign, although Reuters reports that U.S. intelligence officials are confident about the attribution because of mistakes the hackers made, including failing to redact IP addresses in parts of the video that showed the hackers' computer screen, which traced back to infrastructure previously used by Tehran to launch attacks (see US Alleges Iran Sent Threatening Emails to Democrats).

At a Wednesday press conference, Director of National Intelligence John Ratcliffe said active Iranian and Russian campaigns are targeting U.S. voters and attempting to damage trust in the U.S. election system.

Some U.S. officials have suggested the threat posed by Russia, however, continues to dwarf the risk from Iran, The New York Times reports, citing anonymous sources. Many security experts have characterized the allegedly Iranian email campaign this week, which pretended to have been sent by The Proud Boys, a far-right, fascist group that is pro-Trump, as being amateurish.

Tracking Berserk Bear

The Russian group behind the election-related data theft described on Thursday by the FBI and CISA is known as Berserk Bear. It "exfiltrated data from at least two victim servers," the government's alert says. Berserk Bear has targeted dozens of state, local, territorial and tribal government networks - which the government calls SLTT networks - including aviation networks, it says.

FBI/CISA advisory

At least so far, however, the Russian attackers don't appear to have disrupted any of the networks. But the APT group may be seeking footholds to conduct future disruption activities or to "influence U.S. policies and actions," the FBI and CISA warn.

After the 2016 election - during which the U.S. said Russia targeted state voting infrastructure and attempted to use social media to influence voters' opinions and otherwise interfere in democratic systems - the White House classified election systems as being critical infrastructure.

The chance of Russia actually attempting to disrupt U.S. election infrastructure is likely small, says Tom Uren, a senior analyst with the Australian Strategic Policy Institute's International Cyber Policy Center in Canberra.

But probes or attempted meddling increase the chance of accidents or escalation. And even small-scale or attempted interference efforts by Russia might cause turmoil and give the Trump campaign cause to claim that election results could not be trusted, Uren says.

'Strong Attack Group'

Berserk Bear - the designation given to nation-state-based adversaries by cybersecurity firm CrowdStrike - is also known by a variety of other nicknames, including Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, Iron Liberty and Koala Team. CrowdStrike describes Berserk Bear as an adversary group with "strong ties to Moscow" and whose operations "align very closely with the likely collection priorities of Russian intelligence."

Some cybersecurity experts believe the group is affiliated with Russia's Federal Security Service, or FSB, which is the successor to the KGB.

The behavior recently attributed to the group is not unusual. The group has "a long history of gaining footholds in critical infrastructure to hold it under threat," tweets John Hultquist, a senior director of intelligence analysis at cybersecurity firm FireEye. Hultquist says the group has successfully targeted energy providers, water infrastructure and airports.

The U.S. government's alert describes a variety of tactics the Russian group uses to attack local and state governments. That includes trying to brute force its way into servers, using SQL injection attacks against websites and setting up malicious domains designed to infect victims' computers.

The group also has used a variety of recent and potent vulnerabilities, including the Windows Netlogon flaw designated CVE-2020-1472; a Microsoft Exchange remote execution flaw, CVE-2020-0688; and a directory transversal flaw in Citrix, CVE-2019-19781.

"The APT actor scanned for vulnerable Citrix and Microsoft Exchange services and identified vulnerable systems, likely for future exploitation," the FBI and CISA say.

Between February and mid-September, Berserk Bear successfully compromised Microsoft Office 365 accounts on at least one victim's network, the agencies say. In light of those efforts, they have released a list of five vulnerabilities that organizations should ensure they're patched against, as well as mitigation strategies to counter attacks.

High Risk: Influence Operations

As the Nov. 3 election approaches, many analysts say that on a state level, numerous races look to be closely contested. With controls to help safeguard voters during the ongoing COVID-19 pandemic, it's not clear if polls will close on time. Regardless, counting the votes - which some states start after the polls close - could be a prolonged process.

The time between when polls close and a winner is been declared is a crucial gap that officials fear could be used to sow doubt about the legitimacy of the election. Attackers need not hack systems to cause chaos.

U.S. officials are on heightened alert for cyber activity - including misinformation and disinformation efforts - that seeks to try to convince voters that election systems aren't secure or that the result of any election could be in doubt. Due to the coronavirus pandemic, many states are processing record numbers of mail-in ballots.

'Our Perceptions are the Target'

Hultquist doesn't think that Russia's efforts will affect the election's outcome in any "meaningful" way, but he warns that such activity could decrease trust. He tells Information Security Media Group that Russia "can certainly meddle, but the meddling will have limited effects on results. The point of the meddling is to suggest results can't be trusted."

Russia doesn't have to touch election infrastructure to cause chaos, ASPI's Uren notes. Simply suggesting that there's been fraud early during the vote-tallying could be a spark that causes such lies to get amplified across social media or news outlets.

"Anything that the Russians do, even on a small scale, could feed into that," he says.

Executive Editor Mathew Schwartz contributed to this report.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.