The Department of Homeland Security (DHS CISA) and the FBI have published a joint Cybersecurity and Infrastructure Protection Agency security bulletinin which it was stated that the Russian government-sponsored hacker group Energetic Bear (aka TEMP.Isotope, Berserk Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala) attacked and successfully hacked US government networks.
Law enforcers write that the group has been attacking government networks and companies in the aviation sector since at least February 2020. At the same time, as of October 1, 2020, the hackers allegedly managed to "successfully hack the network infrastructure and extract data from at least two servers."
The new security bulletin is a direct follow-up to another warning issued by the US authorities earlier this month. At the time, the CISA and the FBI warned that unnamed government hackers were gaining access to government networks by combining the Zerologon vulnerability (CVE-2020-1472) with various bugs in VPN products. Now it became known that it was about the Energetic Bear group.
According to law enforcement officers, for attacks, hackers resorted to exploiting vulnerabilities in Citrix Access Gateway (CVE-2019-19781), mail servers Microsoft Exchange (CVE-2020-0688), the Exim mail agent (CVE 2019-10149) as well as Fortinet SSL VPN (CVE-2018-13379). The above-mentioned problem Zerologon was used to gain access and steal Windows Active Directory (AD) credentials, with the aim of subsequent lateral movement over compromised networks.
When the attacks were successful, Energetic Bear members reportedly stole various files from government networks, including those associated with confidential network configurations and passwords; standard operating procedures (SOPs); IT instructions such as password reset requests; information about suppliers and purchases; by stamping electronic passes.
“To date, the FBI and CISA have no information to indicate that this APT intentionally disrupted the aviation or education sectors, elections or government operations. However, the group could seek access in order to have opportunities for future attacks that could affect US policies and actions or deprive government structures of legitimacy, ”the FBI and CISA representatives write.