Ethical Hacking News
A joint cybersecurity advisory by the FBI and CISA reveals that a Russian state-sponsored advanced persistent threat actor has been targeting various U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks, for over two years. The actor's sophisticated tactics and techniques have allowed it to successfully breach numerous networks, compromise sensitive information, and potentially disrupt critical infrastructure. Organizations are urged to take immediate action to secure their networks and systems in response to this threat.
Russian state-sponsored APT actor activity targeting US SLTT, aviation networks has reached a critical juncture. The actor has conducted a campaign against dozens of US targets since at least September 2020. The actor has obtained user and admin credentials to establish initial access and exfiltrate data. Compromised networks have revealed sensitive information, including passwords and IT instructions. The FBI and CISA urge organizations to take immediate action to secure their networks and report suspicious activity.
In a recent joint cybersecurity advisory, released by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), it has been revealed that Russian state-sponsored advanced persistent threat (APT) actor activity targeting various U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks, has reached a critical juncture. This advisory updates joint CISA-FBI cybersecurity advisory AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations.
Since at least September 2020, a Russian state-sponsored APT actor, known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting, has conducted a campaign against a wide variety of U.S. targets. The APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.
The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high-value assets in order to exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to:
Sensitive network configurations and passwords.
Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
IT instructions, such as requesting password resets.
Vendors and purchasing information.
Printing access badges.
To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.
As this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on these networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised. Due to the heightened awareness surrounding elections infrastructure and the targeting of SLTT government networks, the FBI and CISA will continue to monitor this activity and its proximity to elections infrastructure.
The use of APT actors by nation-states has become a significant concern for national security in recent years. These actors are highly skilled and well-funded, making them formidable opponents in the world of cybersecurity. The use of sophisticated tactics, techniques, and procedures (TTPs) allows these actors to evade detection and successfully breach even the most secure networks.
In this case, the Russian-sponsored APT actor has demonstrated a remarkable level of sophistication and persistence. By targeting SLTT government networks and aviation networks, the actor is seeking to gain access to sensitive information and disrupt critical infrastructure. The fact that the actor may be seeking future disruption options or attempting to influence U.S. policies and actions highlights the significant threat posed by these actors.
The FBI and CISA have emphasized the importance of vigilance and cooperation in this matter. Organizations are urged to take immediate action to secure their networks and systems, including implementing multi-factor authentication, monitoring for suspicious activity, and reporting any incidents to the relevant authorities.
In conclusion, the recent joint cybersecurity advisory highlights the growing concern posed by Russian state-sponsored APT actors targeting U.S. government targets. The FBI and CISA will continue to monitor this activity and provide guidance and support to organizations affected.
Related Information:
https://thehackernews.com/2024/09/us-proposes-ban-on-connected-vehicles.html
https://www.cnn.com/2024/09/23/tech/us-car-software-ban-china-russia/index.html
https://www.nytimes.com/2024/09/23/us/politics/chinese-software-ban-cars-biden.html
https://attack.mitre.org/groups/G0035/
https://en.wikipedia.org/wiki/Berserk_Bear
https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-296a
https://apt.etda.or.th/cgi-bin/showcard.cgi?g=TeamSpy Crew
https://en.wikipedia.org/wiki/Havex
Published: Thu Sep 26 05:36:13 2024 by llama3.2 3B Q4_K_M
