Russian APT Fancy Bear may have compromised federal agency

An unnamed U.S. federal agency has been breached, according to a recent report by the Cybersecurity and Infrastructure Security Agency (CISA), and third-party analysts now believe that Fancy Bear, the notorious Russian Advanced Persistent Threat (APT) group, is the likely culprit. 

In this short article, we’ll provide some details about the incident, give you some more background to the story, and share some of CISA’s security recommendations for organizations.

What happened?

The CISA report did not disclose the date of the hack or the name of the agency affected. But it did describe the mechanics of the compromise in detail.

The attackers somehow obtained valid Microsoft Office 365 credentials to gain initial access to the agency’s network; how they obtained these credentials is not known, but CISA speculates that the threat actors may have leveraged a known exploit to compromise an unpatched VPN server. 

After the initial breach, the attackers performed reconnaissance activities to better understand the network and to look for more information, and they also created a user account for themselves. In the end, they were able to achieve persistence on the compromised network, set up a remote connection, execute commands, and steal data. They also deployed a customized malware tool that went undetected by the agency’s anti-malware protection.

Who did it?

According to a WIRED report published this week, there is strong evidence to indicate that the Russian APT group known as Fancy Bear was behind the attack. Fancy Bear, also known as APT28, Sofacy Group, and STRONTIUM, is thought to have the backing of the Russian government, and has been linked to Russian military intelligence by authorities in the UK and the United States. 

Analysts at WIRED point out that an FBI alert sent to various U.S. government and educational organizations in May warned that Fancy Bear was actively targeting networks in the United States; this notification made reference to specific IP addresses associated with Fancy Bear’s malicious activities, and one of these IP addresses also appeared in the recent CISA report about the successful compromise of the federal agency. In addition, researchers note that another IP address mentioned in the CISA report has appeared in connection with Fancy Bear before: a 2019 Department of Energy report cited that second IP address as the origin of network probes attributed to the Russian APT.

What do the attackers want?

It’s not possible to pinpoint a motivation without knowing which agency was compromised, but if the recent breach was indeed the work of Fancy Bear, then we can make some broad assumptions. 

Fancy Bear has been implicated in a wide range of malicious activities, including espionage in support of Russian intelligence gathering, as well as information operations designed to destabilize Russia’s geopolitical rivals. Such actions are ongoing. Security researchers recently discovered a spying campaign that used fake NATO training materials to target the governments of NATO member states and allied nations, apparently with the goal of stealing sensitive data. In September, Microsoft released a report detailing Fancy Bear’s attempts to harvest MS Office 365 credentials from election organizations in the US and UK.

Attempts to hack election organizations are particularly disturbing, since Fancy Bear is generally thought to be the group that hacked the Democratic National Committee in 2016; information stolen in the breach was later leaked in an attempt to destabilize the election. This type of “hack and leak” operation has been studied extensively by security researchers, and is considered a hallmark of Russian information operations.

If Fancy Bear was behind this latest attack on the still-unnamed U.S. agency, the ultimate goal may have been run-of-the-mill spying — or an attempt to steal information for use in a disinformation or destabilization campaign.

How can organizations stay safe?

APTs are a major threat to organizations, and Fancy Bear is just one of many such groups around the world. APTs are typically well-resourced and highly skilled, and often have the unofficial backing of a government, military, or intelligence agency. By and large, their attacks tend to be targeted, which sets them apart from ordinary cybercriminals. 

However, this doesn’t mean that APTs only go after government officials, or that average users can never run into them. These shadowy groups have been known to target organizations in critical non-governmental sectors like finance, healthcare, education, and industry. In addition, APTs associated with pariah states may engage in financially motivated cybercrime in order to fund weapons programs or replace income lost to international sanctions. For example, financial gain is thought to be a major motivation of the North Korea-linked Lazarus Group, an organization that has been involved in numerous attacks on everyday cryptocurrency users (and which is responsible for some of the most sophisticated Mac malware around).

CISA has provided a number of recommendations to help organizations and individuals protect themselves from APT groups. These recommendations include

1. 1

   Use enterprise firewalls

   All organizations are advised to deploy enterprise firewalls in order to better control their network traffic. Firewalls allow an organization to regulate what can enter and exit its network, which makes it much harder for unauthorized individuals to gain access or to exfiltrate data.

2. 2

   Block unused ports

   Connections to a network are made through communication endpoints called ports. Typically, an organization’s network only uses a limited number of ports for its normal functions; however, unused ports can still receive connection requests if they are left open, which is a potential security risk. CISA recommends that organizations block any unused ports using their firewall, and develop a specific process that has to be followed in order to make changes to blocked ports.

3. 3

   Turn on 2FA

   Everyone on the network — and especially users with elevated permissions — should be using 2FA. If a user’s credentials are stolen, 2FA can help stop this initial compromise from turning into a full-blown network incursion. While using multi-factor authentication may take some time to get used to, it is an essential security practice in today’s threat landscape, both for organizations and for individuals.

4. 4

   Update software regularly

   As mentioned above, CISA believes that the attackers may have obtained valid credentials by exploiting unpatched software. In this case, the vulnerability was well known, and the affected vendor had already issued a security patch — but unfortunately, the vulnerable software hadn’t been updated. This is why it’s absolutely crucial to stay on top of OS and software updates, and why we generally recommend automatic updates in order to accomplish this. .