US Officials Blame Election Data Theft on Russian APT Group

Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

‘Berserk Bear’ Hacking Team Known for ‘Gaining Footholds in Critical Infrastructure’

US Officials Blame Election Data Theft on Russian APT Group The FBI/CISA alert ties recent election data exfiltration to the Russia-aligned nation state adversary group Berserk Bear (Image: CrowdStrike)

U.S. intelligence officials say a Russia-backed hacking group has compromised some state and local government computer systems since at least September and stolen election-related data. So far, however, the attackers do not appear to have attempted to otherwise interfere with or disrupt those networks.

See Also: Webinar | SASE Economics: The New Frontier of Cybersecurity

The attacks were described Thursday by the FBI and the Cybersecurity Infrastructure and Security Agency, just one day after U.S. government officials warned of increased cyber activity by Iran and Russia focused on the Nov. 3 presidential election.

On Wednesday, Director of National Intelligence John Ratcliffe and FBI Director Christopher Wray blamed Iran for sending emails to registered Democrats in at least three states, threatening physical violence unless their votes were cast for President Donald Trump.

The Iranian government denies being behind the campaign, although Reuters reports that U.S. intelligence officials are confident about the attribution because of mistakes the hackers made, including failing to redact IP addresses in parts of the video that showed the hackers’ computer screen, which traced back to infrastructure previously used by Tehran to launch attacks (see US Alleges Iran Sent Threatening Emails to Democrats).

At a Wednesday press conference, Director of National Intelligence John Ratcliffe said active Iranian and Russian campaigns are targeting U.S. voters and attempting to damage trust in the U.S. election system.

Some U.S. officials have suggested the threat posed by Russia, however, continues to dwarf the risk from Iran, The New York Times reports, citing anonymous sources. Many security experts have characterized the allegedly Iranian email campaign this week, which pretended to have been sent by The Proud Boys, a far-right, fascist group that is pro-Trump, as being amateurish.

Tracking Berserk Bear

The Russian group behind the election-related data theft described on Thursday by the FBI and CISA is known as Berserk Bear. It “exfiltrated data from at least two victim servers,” the government’s alert says. Berserk Bear has targeted dozens of state, local, territorial and tribal government networks – which the government calls SLTT networks – including aviation networks, it says.

FBI/CISA advisory

At least so far, however, the Russian attackers don’t appear to have disrupted any of the networks. But the APT group may be seeking footholds to conduct future disruption activities or to “influence U.S. policies and actions,” the FBI and CISA warn.

Furthermore, in terms of the election, the agencies say they have “no evidence to date that the integrity of election data has been compromised.”

After the 2016 election – during which the U.S. said Russia targeted state voting infrastructure and attempted to use social media to influence voters’ opinions and otherwise interfere in democratic systems – the White House classified election systems as being critical infrastructure.

The chance of Russia actually attempting to disrupt U.S. election infrastructure is likely small, says Tom Uren, a senior analyst with the Australian Strategic Policy Institute’s International Cyber Policy Center in Canberra.

But probes or attempted meddling increase the chance of accidents or escalation. And even small-scale or attempted interference efforts by Russia might cause turmoil and give the Trump campaign cause to claim that election results could not be trusted, Uren says.

‘Strong Attack Group’

Berserk Bear – the designation given to nation-state-based adversaries by cybersecurity firm CrowdStrike – is also known by a variety of other nicknames, including Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, Iron Liberty and Koala Team. CrowdStrike describes Berserk Bear as an adversary group with “strong ties to Moscow” and whose operations “align very closely with the likely collection priorities of Russian intelligence.”

Some cybersecurity experts believe the group is affiliated with Russia’s Federal Security Service, or FSB, which is the successor to the KGB.

The behavior recently attributed to the group is not unusual. The group has “a long history of gaining footholds in critical infrastructure to hold it under threat,” tweets John Hultquist, a senior director of intelligence analysis at cybersecurity firm FireEye. Hultquist says the group has successfully targeted energy providers, water infrastructure and airports.

The U.S. government’s alert describes a variety of tactics the Russian group uses to attack local and state governments. That includes trying to brute force its way into servers, using SQL injection attacks against websites and setting up malicious domains designed to infect victims’ computers.

The group also has used a variety of recent and potent vulnerabilities, including the Windows Netlogon flaw designated CVE-2020-1472; a Microsoft Exchange remote execution flaw, CVE-2020-0688; and a directory transversal flaw in Citrix, CVE-2019-19781.

“The APT actor scanned for vulnerable Citrix and Microsoft Exchange services and identified vulnerable systems, likely for future exploitation,” the FBI and CISA say.

Between February and mid-September, Berserk Bear successfully compromised Microsoft Office 365 accounts on at least one victim’s network, the agencies say. In light of those efforts, they have released a list of five vulnerabilities that organizations should ensure they’re patched against, as well as mitigation strategies to counter attacks.

High Risk: Influence Operations

As the Nov. 3 election approaches, many analysts say that on a state level, numerous races look to be closely contested. With controls to help safeguard voters during the ongoing COVID-19 pandemic, it’s not clear if polls will close on time. Regardless, counting the votes – which some states start after the polls close – could be a prolonged process.

The time between when polls close and a winner is been declared is a crucial gap that officials fear could be used to sow doubt about the legitimacy of the election. Attackers need not hack systems to cause chaos.

U.S. officials are on heightened alert for cyber activity – including misinformation and disinformation efforts – that seeks to try to convince voters that election systems aren’t secure or that the result of any election could be in doubt. Due to the coronavirus pandemic, many states are processing record numbers of mail-in ballots.

‘Our Perceptions are the Target’

Hultquist doesn’t think that Russia’s efforts will affect the election’s outcome in any “meaningful” way, but he warns that such activity could decrease trust. He tells Information Security Media Group that Russia “can certainly meddle, but the meddling will have limited effects on results. The point of the meddling is to suggest results can’t be trusted.”

Russia doesn’t have to touch election infrastructure to cause chaos, ASPI’s Uren notes. Simply suggesting that there’s been fraud early during the vote-tallying could be a spark that causes such lies to get amplified across social media or news outlets.

“Anything that the Russians do, even on a small scale, could feed into that,” he says.

Executive Editor Mathew Schwartz contributed to this report.

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips