What is Energetic Bear? Here's how Russian hackers attacked federal network and accessed US voters' data
Russian meddling in US presidential elections had made headlines in 2016, and its horrors are looming again. This comes after a Russian hacking group targeted dozens of US state and local government networks and stole data from two of them, namely the FBI and DHS. The Russia-sponsored hackers, Energetic Bear, have reportedly jeopardized US federal networks. They have reportedly gained access to election systems and voter information. As per Daily Mail, the investigation agency, FBI and Department of Homeland Security issued an alert about the breaches on Thursday, October 22. This is the second major warning over foreign hacking as voters head to vote for November 3 elections.
The advisory from the FBI tells about the hackers. “Since at least September 2020, a Russian state-sponsored APT actor — known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting — has conducted a campaign against a wide variety of US targets. The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of 1 October 2020, exfiltrated data from at least two victim servers.”
It stated several points on what information is being hacked. “The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high-value assets in order to exfiltrate data.” The advisory says that the actor (hacker) “may be seeking access to obtain future disruption options, to influence US policies and actions, or to delegitimize SLTT government entities”.
However, until now the FBI and Cybersecurity and Infrastructure Security Agency (CISA) have no proof that the integrity of election data has been compromised. As per Daily Mail, this advisory served as a reminder of Russia's potent capabilities and interference in the election. It is raising concerns over vote tampering that can purportedly undermine the democratic process in elections. The publication reportedly cited intelligence officials who said the hackers' specific plans are not clear. However, it is believed their efforts would be aimed at boosting President Donald Trump's chances of re-election.
Earlier US Director of National Intelligence John Ratcliffe warned that Russia and Iran had obtained voting registration information and might influence elections. “This data can be used by foreign actors to attempt to communicate false information to registered voters that they hope will cause confusion, sow chaos and undermine your confidence in American democracy,” Ratcliffe said. Now as fears emerge over purported Russian meddling through hackers, here we shed some light on the group behind the notoriety.
Hacking group: Energetic Bear
Energetic Bear/Crouching Yeti is a widely known Advanced Persistent Threat (APT) group. It is reportedly active since at least 2010. As per Daily Mail, the hacking group is acting at the instruction of Russia's Federal Security Service (FSB).
Elaborating on the group's tactics, the Secure List publication states the group is involved in “sending phishing emails with malicious documents and infecting various servers”. The site adds, “The group uses some of the infected servers for auxiliary purposes – to host tools and logs. Others are deliberately infected to use them in waterhole attacks in order to reach the group’s main targets.” As per a report in Wired, the group had hacked hundreds of targets in dozens of countries since as early as 2010. It does this by employing so-called "watering hole" attacks that infect websites and plant a Trojan called Havex on visitors' machines.
The group tends to attack various companies that have a strong focus on the energy and industrial sectors. Secure List reported that such companies are mainly situated in the Europe and in the US. As per Daily Mail the group has purportedly engaged in cyberespionage on power grid operators in the US and Europe, as well as on defense and aviation companies. Currently, the group has gained spotlight after US officials said that the Russian hackers have targeted the networks of dozens of state and local governments in America.