A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.
A Russian state-sponsored advanced persistent threat (APT) actor is activity targeting various state, local, territorial and tribal (SLTT) government networks, according to a joint advisory issued Oct. 22 by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).
The hacker, known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti and Koala, has targeted dozens of networks, attempted intrusions at several SLTT organizations and aviation networks, successfully compromised network infrastructure and, as of Oct. 1, exfiltrated data from at least two targeted servers.
In recent months, Russia penetrated county systems in California and Indiana, the Washington Post reported. In one case, a small sample of publicly available voter information was taken. In the other, no election data was reported taken.
After gaining access by obtaining user and administrator credentials, the APT actor moved laterally inside targeted networks, identifying high-value assets and exfiltrating data, the advisory said. In at least one case, the hacker got into a SLTT network and accessed documents related to network configurations and passwords, multi-factor authentication procedures, vendors and purchasing information, printing access badges and IT instructions, such as requesting password resets.
Because the attacks targeted state, local and territorial governments, there may be some risk to election-related information housed on SLTT government networks.
“To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations,” the advisory said. “However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.”
“These actions are desperate attempts by desperate adversaries,” Director of National Intelligence John Ratcliffe said in remarks following a press conference discussing malicious acts by Russia and Iran designed to interfere with the election. “Even if the adversaries pursue further attempts to intimidate or attempt to undermine voter confidence, know that our election systems are resilient, and you can be confident your votes are secure.”
The warning from the FBI and CISA is “an important reminder that we must remain steadfast in our efforts to secure America’s elections,” members of the Government Coordinating Council Executive Committee said in a statement. “Election officials have invested time and money in securing election systems and equipment, but the last line of defense is the trust of the American people.”