DHS, FBI say Russian hackers targeting US state and local systems

by Maggie Miller - 10/22/20 7:58 PM ET

The FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned that a Russian state-sponsored hacking group is targeting U.S. government systems and the aviation industry, successfully accessing at least two servers.

In a joint alert, the FBI and CISA report that a Russian advanced persistent threat (APT) group known in the security community as “Energetic Bear,” among other names, has been attacking U.S. state, local, territorial and tribal (SLTT) government networks, among other targets, since September.

“The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers,” the FBI and CISA wrote in the alert.

The federal agencies noted that in at least one of the successful attacks, the hacking group had been able to access passwords, IT instructions, vendor and purchasing information and printable access badges.

While the FBI and CISA emphasized that there is “no evidence to date that integrity of elections data has been compromised,” the attacks had put some election data stored on SLTT networks at risk.

“To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations,” the agencies wrote. “However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.”

The news comes a day after federal officials announced that both Russia and Iran had gained access to U.S. voter information data and were using it to interfere in the presidential election, which raised concerns coming four years after Russian agents were linked to a widespread effort to interfere in the 2016 U.S. presidential elections.

The hacking group behind the attacks was previously linked to cyberattacks in 2014 on hundreds of Western oil and gas companies, along with attacks earlier this year on the San Francisco International Airport.

State and local governments have faced mounting cyberattacks over the past two years, particularly during the COVID-19 pandemic due to more services moving online.

Ransomware attacks in particular have shot up, bringing governments — including the cities of New Orleans, Baltimore and Atlanta — temporarily to their knees and costing millions of dollars to recover from.

State and local officials have begged Congress to appropriate funds for technology modernization and cybersecurity relief during the ongoing pandemic, with a coalition of groups requesting in April that Congress create a “dedicated cybersecurity program” to address new challenges.