Last week, the F.B.I. and the Cybersecurity and Infrastructure Security Agency (CISA) reported that state-sponsored Russian hackers succeeded in breaching a number of government networks and have “exfiltrated data from at least two victim servers.”
Admittedly, this whole scenario is a little confusing because these agencies claim that SLTT network members are specifically being targeted. This relates to a government promoted network affiliation called the State, Local, Tribal, and Territorial Government Coordinating Council (SLTTGCC). What this group does is share information and cybersecurity tools. Once becoming a member of this group, agencies or companies can make use of the CIS SecureSuite, which is an array of tools provided by the Center for Internet Security and other government affiliated cybersecurity agencies to keep the members safe from attacks. They also provide advice on how to improve a member’s cybersecurity defenses.
Somewhat surprisingly, it appears that this Russian hacker group has targeted the members of this cybersecurity network. On the surface, this seems suicidal. Why would this hacker group want to hack a network that was designed to identify hackers? From the information given in the report, it looks like they were trying to understand the cybersecurity measures these government-affiliated networks used so that they could later compromise them more easily. In addition, the fact that all of these agencies communicate with each other as well as the intelligence community means that once any of their networks were infiltrated, a hacker could move from one agency to another and gather information as they went.
Here is what these hackers got from one such agency including, (in italics), why and how they would use it
• Sensitive network configurations and passwords.
(Discover network vulnerabilities and identify unpatched bugs. Acquiring passwords would give them widespread access to the network.)
• Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
(Learn how to manipulate MFA.)
• IT instructions, such as requesting password resets.
(Set up the hackers as network administrators so that any password resets would go through them.)
• Vendors and purchasing information.
(Learn what third parties are connected to the network so that they could be spearphished and compromised.)
• Printing access badges.
(Apparently, they planned to physically access the buildings, possibly to install malware on the network through local machines or their own devices.)
From this example alone, I would have to conclude that these hackers have been planning a major breach, and it is this that the F.B.I. is so concerned about.
Interestingly, the report states that “to date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations.” So, apparently, these are the areas they are targeting.
This is not a good time to be an IT systems administrator. The report lists numerous actions that must be taken to mitigate this attack, ranging from blocking IP addresses to patching software vulnerabilities. It then makes special reference to the Netlogon (Zerologon) vulnerability that I recently posted on and which will not be fully patched until next year. The remark on this vulnerability in the report is startling. It reads, “if there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse, it should be assumed the APT actors have compromised AD administrative accounts. In such cases, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed.” Think of a “forest” as a group of endpoints in a particular domain. Just imagine the work it would take to rebuild an entire network from the ground up and hope that, in the process, it’s not compromised again.
To put this in a clearer light, it appears that the F.B.I. and CISA are quite sure that these Russian hackers have already studied the infrastructure of affiliated agencies and are simply waiting for the right time to flip the switch and begin an attack. Since the timing of these intrusions is occurring so close to the American presidential elections, it seems that disrupting them, in some way, is the attacker’s ultimate goal. In fact, the report seems to support this assumption when it declares that, “the FBI and CISA have no evidence to date that integrity of elections data has been compromised.” In fact, they then go on to admit that they are now closely monitoring these agencies for election tampering.
The report then goes on to delineate the particular vulnerabilities this hacking team is trying to exploit, and it looks like they are actually trying to exploit all known recent and not-so-recent vulnerabilities. In other words, they are looking for unpatched components on these networks from which to gain a foothold. The report’s description of the attackers use of multiple attack vectors is sobering. Their attack front is so extensive that it will almost certainly succeed, at least in part. The truth is that they may have already successfully hidden themselves on a number of networks that could influence the election in a number of ways.
The main fear here is that endpoints connected to election-result-reporting networks could be used as entrance points into a network. If such endpoints are compromised, they can effectively be used to control what happens within a particular network. This could mean anything from installing malware that could begin a ransomware attack and bring down the network to tampering with the election result numbers themselves. Both of these scenarios could call into question the validity of results in key districts. (See my post on how the entire Pennsylvania election results could be compromised.) Such a disruption could, in these contentious times, cause considerable social unrest. Such unrest is really what Russian hackers would most like to see. And all of this from just compromising one endpoint. This simply highlights the fact that it’s way past the time for government agencies to seriously consider more advanced endpoint protection.
So the battle lines have been drawn. Intelligence agencies are getting ready to thwart any attacks that these hackers may try to deploy. If any attacks are launched, they will almost certainly be timed to occur just before the election results start to come in. These hackers don’t want their attacks mitigated before they cause disruption. Some attacks, indeed, will be stopped, but I would guess that some will make it through. Not all attacks are equal. Some may cause almost no disruption and get little notice while others could cause complete confusion. We can now only wait to see which of these scenarios will play out.