Posted October 6, 2020
According to a recent report by the Cybersecurity and Infrastructure Security Agency (CISA), an unnamed US federal agency has been breached, and third-party analysts now believe that Fancy Bear, the infamous Russian Advanced Persistent Threat (APT) group, is the likely culprit.
In this short article, we will provide some details about the incident, give you a little more background on the story, and share some of CISA̵
The CISA report did not disclose the date of the hack or the name of the agency affected. But it described the mechanics of the compromise in detail.
The attackers somehow obtained valid Microsoft Office 365 credentials to gain initial access to the agency’s network. how they obtained these credentials is not known, but CISA speculates that the threat actors may have exploited a known exploit to compromise an unpatched VPN server.
After the first breach, the attackers performed reconnaissance activities to better understand the network and to search for more information, and they also created a user account for themselves. Eventually, they managed to gain endurance in the compromised network, set up a dial-up connection, execute commands, and steal data. They also distributed a custom malware tool that was not detected by the agency’s anti-malware protection.
Who did it?
According to a WIRED report published this week, there is strong evidence that the Russian APT group known as Fancy Bear was behind the attack. Fancy Bear, also known as APT28, Sofacy Group and STRONTIUM, is believed to have the support of the Russian government, and has been linked to Russian military intelligence by authorities in Britain and the United States.
Analysts at WIRED point out that an FBI alert sent to various U.S. authorities and educational organizations in May warned that Fancy Bear was actively targeting networks in the United States; this alert referred to specific IP addresses related to Fancy Bear’s malicious activities, and one of these IP addresses also appeared in the recent CISA report on the successful compromise of the federal agency. In addition, the researchers note that another IP address mentioned in the CISA report has appeared in connection with Fancy Bear before: a report from the Department of Energy from 2019 cited the other IP address as the origin of network probes attributed to the Russian APT.
What do the attackers want?
It is not possible to find a motivation without knowing which agency was compromised, but if the recent breach was really the work of Fancy Bears, we can make some broad assumptions.
Fancy Bear has been involved in a wide range of malicious activities, including espionage in support of Russian intelligence gathering, as well as information operations designed to destabilize Russia’s geopolitical rivals. Such actions are ongoing. Security researchers recently discovered a espionage campaign that used fake training materials from NATO to target the governments of NATO member countries and allied nations, apparently with the aim of stealing sensitive data. In September, Microsoft released a report describing Fancy Bears’ attempt to reap MS Office 365 credentials from US and UK election organizations.
Attempts to hack electoral organizations are particularly disturbing, since Fancy Bear is generally believed to be the group that hacked the Democratic National Committee in 2016; information stolen in the breach was later leaked in an attempt to destabilize the election. This type of “hack and leak” operation has been thoroughly studied by security researchers, and is considered a hallmark of Russian information operations.
If Fancy Bear was behind this latest attack on the still unnamed US agency, the ultimate goal may have been espionage – or an attempt to steal information for use in a disinformation or destabilization campaign.
How can organizations stay safe?
APT is a major threat to organizations, and Fancy Bear is just one of many such groups around the world. APTs are usually resourceful and skilled, and often have unofficial support from a government, military or intelligence agency. By and large, their attacks tend to be targeted, which sets them apart from ordinary cybercriminals.
However, this does not mean that APTs just go after government officials, or that average users may never encounter them. These shadowy groups have been known to target organizations in critical non-governmental sectors such as finance, healthcare, education and industry. In addition, APTs associated with pariah states may engage in financially motivated cybercrime to fund weapons programs or replace revenue lost to international sanctions. For example, financial gain is believed to be a major motivator for the North Korea-affiliated Lazarus Group, an organization that has been involved in many attacks on everyday cryptocurrency users (and is responsible for some of the most sophisticated Mac damage around). .
CISA has made a number of recommendations to help organizations and individuals protect themselves against APT groups. These recommendations include
Use firewalls from companies
All organizations are advised to distribute firewalls to businesses to better control network traffic. Firewalls allow an organization to regulate what can come in and out of its network, making it much more difficult for unauthorized people to access or exfilter data.
Block unused ports
Connections to a network are made via communication endpoints called ports. Typically, an organization’s network uses only a limited number of ports for its normal functions; Unused ports can still receive connection requests if left open, which is a potential security risk. CISA recommends that organizations block unused gates using the firewall, and develop a specific process that must be followed to make changes to blocked gates.
Turn on 2FA
Everyone on the network – and especially users with elevated permissions – should use 2FA. If the user’s credentials are stolen, 2FA can help stop this initial compromise from becoming a full-fledged network intrusion. Although it may take some time to get used to using multi-factor authentication, it is an important security practice in today’s threat landscape, both for organizations and for individuals.
Update software regularly
As mentioned above, CISA believes that attackers may have obtained valid credentials by exploiting outdated software. In this case, the vulnerability was well known, and the affected vendor had already issued a security update – but unfortunately the vulnerable software had not been updated. This is why it is crucial to stay up to date on operating system and software updates, and why we generally recommend automatic updates to achieve this. .