It appears Fancy Bear, the Russian cyber crime group linked to the GRU, is responsible for a US federal agency break-in and data theft. Cyber experts piece together clues to garner more insight into the sophisticated attack.
On September 24, the Cybersecurity and Infrastructure Security Agency (CISA) released a report summarizing its response to a wide-reaching federal agency enterprise network attack. The affected agency was undisclosed.
The hack was executed by obtaining CISA employee Microsoft Office 365 usernames and passwords. It is yet to be determined how that information was compromised. The hackers then used command line tools to navigate through and manipulate Microsoft infrastructure, sneaking through firewalls and executing the hack in an approach curated to evade detection. Unlike the semi-automated malware tools that are common amongst novice hackers, this breach was executed with patience and precision. In other words, these hackers were no amateurs.
Over several months, the malicious actors were able to exploit accessible applications and current user credentials in order to gain admin access. This access was used to methodically explore the network and take advantage of several vulnerabilities until they ultimately gained access to the department’s virtual private network (VPN) server. From there, additional multi-stage malware was installed that allowed the hacker to bypass detection and create new local accounts. Finally, the hackers stole data from account directories and compressed the data into two .zip files. Due to the sophistication of the hack, whether the hackers were able to exfiltrate these .zip files remains a mystery.
While the CISA report doesn’t name Fancy Bear as the culprit, it does list the IP addresses involved in the attack. As reported by WIRED, the cyber security team Dragos examined an FBI notification sent to victims of a previous hack for clues—and found some. When Drago compared the IP addresses to the known FBI Fancy Bear attack from August, they found a match. Another IP address out of Latvia matched with a Department of Energy breach from last year—also credited to Fancy Bear.
Still more IP addresses overlapped with other known cybercriminal operations out of Russia. It is assumed that the state-sponsored hackers are leveraging lay-hacker infrastructure to create plausible deniability.
The nature of the compromised data is unknown.
Russia’s hacking efforts in the United States are acknowledged and ongoing. As Dragos’ Joe Slowik says, “It's certainly not surprising that Russian intelligence would be trying penetrate the US government. That's kind of what they do. But it is worth identifying that not only is such activity continuing, it's been successful."
As with any business, hackers run the gamut of talent and success. While some are easy to thwart with basic cyber security measures, staying a step ahead of elite cyber criminals is near impossible. The more valuable the entity or the information it holds, the higher caliber hacker it attracts. In this case, the United States government is attracting top-tier hackers from known adversaries.
That isn’t to say there aren’t lessons that all enterprises can learn, however. The advice handed down from the CISA isn’t just for high-ranking government entities. It can and should be appropriately scaled and applied to web presences big and small. Applicable actions the CISA suggests that apply across the board include:
Whether or not the CISA and the United States government is losing ground to elite hacking rings is yet to be seen. However, organizations of all sizes and types should take heed of a July statement by Bryan Ware, assistant director for Cybersecurity at CISA. “As we’ve said many times, our adversaries are capable, imaginative and aim to disrupt essential services, so it is important that we make sure we are staying ahead of them. Our goal at CISA is to lead and encourage a proactive ‘whole community’ assessment and response to significant threats and ensure we provide the right tools and services at the right time.”
Read More: Incident Of The Week