AA20-296A Russian State Sponsored APT Actor Compromise US Government Targets
Indicators
This joint cybersecurity advisory—written by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA)—provides information on Russian state-sponsored advanced persistent threat (APT) actor activity targeting various US state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks. This advisory updates joint CISA-FBI cybersecurity advisory "AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations".
Since at least September 2020, a Russian state-sponsored APT actor-known in open-source report under various names, such as, Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala-has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of 1 October 2020, exfiltrated data from at least two victim servers.
This actor has exploited the following CVEs:
CVE-2019-1978
CVE-2019-10149
CVE-2018-13379
CVE-2020-1472
CVE-2020-0688
This STIX file includes IP addresses and domains used by the APT actor to carry out their objectives.
Between early February and mid-September, these APT actors used 213.74.101.65, 212.252.30.170, 5.196.167.184, 37.139.7.16, 149.56.20.55, 91.227.68.97, and 5.45.119.124 to target US SLTT government networks. Successful authentications—including the compromise of Microsoft Office 365 (O365) accounts—have been observed on at least one victim network.
The APT actor is using Turkish IP addresses 213.74.101.65, 213.74.139.196, and 212.252.30.170 to connect to victim web servers.
The actor is using 213.74.101.65 and 213.74.139.196 to attempt brute force logins and, in several instances, attempted Structured Query Language (SQL) injections on victim websites.
The APT actor also hosted malicious domains, including possible aviation sector target, columbusairports.microsoftonline.host, which resolved to 108.177.235.92 and [cityname].westus2.cloudapp.azure.com; these domains are US registered and are likely SLTT government targets.
IP address 51.159.28.101 appears to have been configured to receive stolen Windows New Technology Local Area Network Manager (NTLM) credentials. Organizations should consider blocking IP address 51.159.28.101 (although this action alone may not mitigate the threat, as the APT actor has likely established, or will establish, additional infrastructure points).
For additional details about this activity, to include mitigation recommendations, please see Joint Activity Alert "AA20-296A Russian State Sponsored APT Actor Compromise US Government Targets".
//node() | //@*
CISA
CISA
2020-10-21T00:00:00
IP Watchlist
138.201.186.43
IP Watchlist
5.45.119.124
IP Watchlist
91.227.68.97
IP Watchlist
37.139.7.16
IP Watchlist
193.37.212.43
IP Watchlist
5.196.167.184
IP Watchlist
149.56.20.55
Domain Watchlist
email.microsoftonline.services
Domain Watchlist
microsoftonline.host
Domain Watchlist
columbusairports.microsoftonline.host
IP Watchlist
108.177.235.92
IP Watchlist
212.252.30.170
IP Watchlist
213.74.139.196
IP Watchlist
213.74.101.65
IP Watchlist
51.159.28.101
IP Watchlist
146.0.77.60
Domain Watchlist
microsoftonline.services